Maintenance¶
Ongoing care, key rotation, and lifecycle management for your GitHub Core App.
Regular Tasks¶
| Task | Frequency | Action |
|---|---|---|
| Permission Review | Quarterly | Audit and adjust permissions |
| Key Rotation | Semi-annually | Generate new private key |
| Usage Audit | Monthly | Review audit logs |
| Secret Access | Quarterly | Review who can access secrets |
Key Rotation Process¶
Plan Ahead
Schedule key rotation during low-activity periods to minimize disruption.
Step 1: Generate New Key¶
- Navigate to app settings in GitHub
- Scroll to Private keys section
- Click Generate a private key
- Download and secure the new
.pemfile
Step 2: Update Secrets¶
- Navigate to organization/repository secrets
- Update
CORE_APP_PRIVATE_KEYwith new key contents - Verify the update saved successfully
Step 3: Verify Authentication¶
# Test workflow
- name: Test new key
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.CORE_APP_ID }}
private-key: ${{ secrets.CORE_APP_PRIVATE_KEY }}
- name: Verify token works
run: gh api /rate_limit
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
Step 4: Delete Old Key¶
- Return to app settings
- Find the old private key
- Click Delete next to the old key
- Confirm deletion
Step 5: Document¶
Record in security log:
- Date of rotation
- Who performed rotation
- Verification status
- Any issues encountered
Permission Audits¶
Quarterly Review Checklist¶
- [ ] List all workflows using the app
- [ ] Verify each permission is still needed
- [ ] Remove unused permissions
- [ ] Document permission justification
- [ ] Update internal documentation
Audit Script¶
# List app permissions
gh api /apps/{APP_SLUG} --jq '.permissions'
# List installation repositories
gh api /installation/repositories --jq '.repositories[].full_name'
Usage Monitoring¶
Audit Log Queries¶
# App API activity (last 30 days)
gh api "/orgs/{ORG}/audit-log" \
--jq '.[] | select(.actor | contains("app/"))' \
| head -50
Rate Limit Tracking¶
# Current rate limit status
gh api /rate_limit --jq '{
limit: .rate.limit,
remaining: .rate.remaining,
reset: .rate.reset | todate
}'
Decommissioning¶
When removing a Core App:
Step 1: Identify Dependencies¶
Step 2: Migration Plan¶
- Identify replacement authentication method
- Update affected workflows
- Test new authentication
- Document migration steps
Step 3: Communication¶
Notify affected teams:
- Date of decommissioning
- Migration instructions
- Support contact
Step 4: Uninstall¶
- Navigate to app settings
- Click Uninstall in danger zone
- Confirm uninstallation
Step 5: Cleanup¶
- Delete
CORE_APP_IDsecret - Delete
CORE_APP_PRIVATE_KEYsecret - Delete the app itself (if no longer needed)
Step 6: Verification¶
# Confirm workflows still function
gh workflow run test.yml
gh run list --workflow=test.yml --limit=1
Maintenance Calendar¶
Suggested Schedule
| Month | Task |
|---|---|
| January | Permission audit |
| March | Key rotation |
| April | Permission audit |
| June | Usage review |
| July | Permission audit |
| September | Key rotation |
| October | Permission audit |
| December | Annual review |
Documentation¶
Maintain these records:
- App configuration details
- Permission justification
- Key rotation history
- Audit findings
- Incident reports
Documentation Location
Store app documentation in a private repository or internal wiki accessible to the infrastructure team.