Safe Settings requires a GitHub App to authenticate and manage repository settings across your organization. This guide walks you through creating and configuring the app.
Creation Methods There are two ways to create a GitHub App for Safe Settings:
Manifest Flow (Recommended) - Automated setup using ProbotManual Creation - Manual configuration in GitHub settings
Method 1: Manifest Flow (Recommended) The easiest way to create the GitHub App is using the manifest flow, which automatically configures all required permissions.
Clone and set up the Safe Settings repository:
git clone https://github.com/github/safe-settings.git cd safe-settings/ npm install
Create .env file from the example:
Set the organization variable:
# .env GH_ORG = your-organization-name
If you’re installing the app in a personal account instead of an organization, leave GH_ORG empty.
Start Safe Settings locally:
The app will start on port 3000.
Create the App via Manifest
Open your browser to: http://localhost:3000/probot
Click the link to create a GitHub App
Follow the GitHub prompts to complete the creation
Download the private key when prompted
After creation, GitHub will provide:
App ID
Webhook Secret
Private Key (downloaded file)
APP_ID = 123456 WEBHOOK_SECRET = your-webhook-secret PRIVATE_KEY = "$( cat ~/Downloads/ * .private-key.pem | base64 )"
Install the GitHub App in your organization:
You must install the app for all repositories in your organization for Safe Settings to work correctly.
Method 2: Manual Creation If you prefer manual configuration or can’t use the manifest flow:
Navigate to GitHub App Settings
Go to your GitHub account or organization settings:
Personal: https://github.com/settings/apps/new
Organization: https://github.com/organizations/YOUR-ORG/settings/apps/new
Fill in the basic app details:
Field Value
GitHub App name safe-settings (or your preferred name) Homepage URL https://github.com/github/safe-settingsWebhook URL Your deployment URL + /api/github/webhooks Webhook Secret Generate with: openssl rand -base64 32
For the webhook URL, use your deployment endpoint. For AWS Lambda, this will be your Function URL. For Docker, it might be https://your-domain.com/api/github/webhooks.
Set Repository Permissions
Configure the following repository permissions:
Permission Access Level
Actions Read-only Administration Read & Write Checks Read & Write Commit statuses Read & Write Contents Read & Write Custom properties Read & Write Environments Read & Write Issues Read & Write Metadata Read-only Pull requests Read & Write Variables Read & Write
Set Organization Permissions
Configure the following organization permissions:
Permission Access Level
Administration Read & Write Custom properties Admin Members Read & Write
Enable the following webhook events:
Branch protection rule
Check run
Check suite
Create
Custom property values
Member
Pull request
Push
Repository
Repository ruleset
Team
Click Create GitHub App to finalize the creation.
Scroll down to Private keys
Click Generate a private key
Save the downloaded .pem file securely
Click the Install App button and select:
All repositories (required)Your organization or account
Permissions Reference Here’s the complete permissions configuration needed for Safe Settings:
Repository Permissions Actions : Read-only Administration : Read & Write Checks : Read & Write Commit statuses : Read & Write Contents : Read & Write Custom properties : Read & Write Environments : Read & Write Issues : Read & Write Metadata : Read-only Pull requests : Read & Write Variables : Read & Write
Organization Permissions Administration : Read & Write Custom properties : Admin Members : Read & Write
Webhook Events - Branch protection rule - Check run - Check suite - Create - Custom property values - Member - Pull request - Push - Repository - Repository ruleset - Team
Webhook Configuration The webhook URL format depends on your deployment method:
Docker
AWS Lambda
Kubernetes
Local (SMEE)
https://your-domain.com/api/github/webhooks
For local development, use SMEE.io to proxy webhooks to your local machine. Testing the App After creating and installing the app:
Verify Installation Check that the app is installed:
# View installed apps gh api /orgs/YOUR-ORG/installations
Test Webhook Delivery
Go to your GitHub App settings
Navigate to Advanced tab
Check Recent Deliveries
Verify webhooks are being received
Create Test Repository Create a test repository to trigger the app:
gh repo create your-org/test-repo --private
Check the Safe Settings logs to verify it processed the event.
Environment Variables After creating the GitHub App, you’ll have these credentials:
# Required APP_ID = 123456 WEBHOOK_SECRET = your-generated-webhook-secret PRIVATE_KEY = "$( cat private-key.pem | base64 )" # Or use file path PRIVATE_KEY_PATH = /path/to/private-key.pem
Keep your private key and webhook secret secure. Never commit them to version control.
Base64 Encoding Private Key For containerized deployments, encode the private key:
macOS/Linux
Windows (PowerShell)
Windows (Git Bash)
cat private-key.pem | base64
Updating Webhook URL If you need to update the webhook URL after deployment:
Via GitHub UI
Go to GitHub App settings
Update Webhook URL
Save changes
Via GitHub CLI gh api --method PATCH /app \ -f webhook_url='https://new-url.com/api/github/webhooks'
Troubleshooting Webhook Not Receiving Events
Verify webhook URL is correct and accessible
Check Recent Deliveries in app settings for errors
Ensure firewall allows GitHub webhook IPs
Verify WEBHOOK_SECRET matches in both GitHub and your deployment
Authentication Errors
Verify APP_ID is correct
Ensure private key is properly formatted
Check that private key matches the app
Verify app is installed in the organization
Permission Errors
Verify all required permissions are granted
Check that app is installed for all repositories
Ensure organization permissions are granted (not just repository)
Next Steps With your GitHub App created, choose a deployment method:
Docker Deploy with Docker containers
AWS Lambda Deploy to AWS Lambda
Kubernetes Deploy to Kubernetes
GitHub Actions Run with GitHub Actions