sourcebot-dev · msukkari · Oct 22, 2025 · Oct 18, 2025 · Oct 18, 2025 · Oct 18, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Implement dynamic tab titles for files and folders in browse tab. [#560](https://github.com/sourcebot-dev/sourcebot/pull/560)
+- Added support for passing db connection url as seperate `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` env vars. [#545](https://github.com/sourcebot-dev/sourcebot/pull/545)
+- Added support for GitHub Apps for service auth. [#570](https://github.com/sourcebot-dev/sourcebot/pull/570)
 
 ### Fixed
 - Fixed "dubious ownership" errors when cloning / fetching repos. [#553](https://github.com/sourcebot-dev/sourcebot/pull/553)
@@ -27,9 +29,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed spam "login page loaded" log. [#552](https://github.com/sourcebot-dev/sourcebot/pull/552)
 - Removed connections management page. [#563](https://github.com/sourcebot-dev/sourcebot/pull/563)
 
-### Added
-- Added support for passing db connection url as seperate `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` env vars. [#545](https://github.com/sourcebot-dev/sourcebot/pull/545)
-
 ## [4.7.3] - 2025-09-29
 
 ### Fixed

diff --git a/docs/docs/configuration/auth/overview.mdx b/docs/docs/configuration/auth/overview.mdx
@@ -10,7 +10,7 @@ Sourcebot's built-in authentication system gates your deployment, and allows adm
     <Card horizontal title="Authentication providers" icon="lock" href="/docs/configuration/auth/providers">
         Configure additional authentication providers for your deployment.
     </Card>
-    <Card horizontal title="Inviting members" icon="user" href="/docs/configuration/auth/inviting-members">
+    <Card horizontal title="Access settings" icon="user" href="/docs/configuration/auth/access-settings">
         Learn how to configure how members join your deployment.
     </Card>
     <Card horizontal title="Roles and permissions" icon="shield" href="/docs/configuration/auth/roles-and-permissions">

diff --git a/docs/docs/configuration/auth/providers.mdx b/docs/docs/configuration/auth/providers.mdx
@@ -33,6 +33,13 @@ The following authentication providers require an [enterprise license](/docs/lic
 
 [Auth.js GitHub Provider Docs](https://authjs.dev/getting-started/providers/github)
 
+Authentication using both a **GitHub OAuth App** and a **GitHub App** is supported. In both cases, you must provide Sourcebot the `CLIENT_ID` and `SECRET_ID` and configure the 
+callback URL correctly (more info in Auth.js docs). 
+
+When using a **GitHub App** for auth, enable the following permissions:
+- `“Email addresses” account permissions (read)`
+- `"Metadata" repository permissions (read)` (only needed if enabling [permission syncing](/docs/features/permission-syncing))
+
 **Required environment variables:**
 - `AUTH_EE_GITHUB_CLIENT_ID`
 - `AUTH_EE_GITHUB_CLIENT_SECRET`

diff --git a/docs/docs/configuration/environment-variables.mdx b/docs/docs/configuration/environment-variables.mdx
@@ -62,9 +62,9 @@ The following environment variables allow you to configure your Sourcebot deploy
 ### Review Agent Environment Variables
 | Variable | Default | Description |
 | :------- | :------ | :---------- |
-| `GITHUB_APP_ID` | `-` | <p>The GitHub App ID used for review agent authentication.</p> |
-| `GITHUB_APP_PRIVATE_KEY_PATH` | `-` | <p>The container relative path to the private key file for the GitHub App used by the review agent.</p> |
-| `GITHUB_APP_WEBHOOK_SECRET` | `-` | <p>The webhook secret for the GitHub App used by the review agent.</p> |
+| `GITHUB_REVIEW_AGENT_APP_ID` | `-` | <p>The GitHub App ID used for review agent authentication.</p> |
+| `GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH` | `-` | <p>The container relative path to the private key file for the GitHub App used by the review agent.</p> |
+| `GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET` | `-` | <p>The webhook secret for the GitHub App used by the review agent.</p> |
 | `OPENAI_API_KEY` | `-` | <p>The OpenAI API key used by the review agent.</p> |
 | `REVIEW_AGENT_API_KEY` | `-` | <p>The Sourcebot API key used by the review agent.</p> |
 | `REVIEW_AGENT_AUTO_REVIEW_ENABLED` | `false` | <p>Enables/disables automatic code reviews by the review agent.</p> |

diff --git a/docs/docs/features/agents/review-agent.mdx b/docs/docs/features/agents/review-agent.mdx
@@ -44,9 +44,9 @@ Before you get started, make sure you have an OpenAPI account that you can creat
     <Step title="Configure the environment variables in Sourcebot">
         Sourcebot requires the following environment variables to begin reviewing PRs through your new GitHub app:
 
-        - `GITHUB_APP_ID`: The client ID of your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
-        - `GITHUB_APP_WEBHOOK_SECRET`: The webhook secret you defined in your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
-        - `GITHUB_APP_PRIVATE_KEY_PATH`: The path to your app's private key. If you're running Sourcebot from a container, this is the path to this file from within your container
+        - `GITHUB_REVIEW_AGENT_APP_ID`: The client ID of your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
+        - `GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET`: The webhook secret you defined in your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
+        - `GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH`: The path to your app's private key. If you're running Sourcebot from a container, this is the path to this file from within your container
         (ex `/data/review-agent-key.pem`). You must copy the private key file into the directory you mount to Sourcebot (similar to the config file). 
 
         You can generate a private key file for your app in the [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings). You must copy this private key file into the
@@ -74,9 +74,9 @@ Before you get started, make sure you have an OpenAPI account that you can creat
                     - "/Users/michael/sourcebot_review_agent_workspace:/data"
                 environment:
                     CONFIG_PATH: "/data/config.json"
-                    GITHUB_APP_ID: "my-github-app-id"
-                    GITHUB_APP_WEBHOOK_SECRET: "my-github-app-webhook-secret"
-                    GITHUB_APP_PRIVATE_KEY_PATH: "/data/review-agent-key.pem"
+                    GITHUB_REVIEW_AGENT_APP_ID: "my-github-app-id"
+                    GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET: "my-github-app-webhook-secret"
+                    GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH: "/data/review-agent-key.pem"
                     REVIEW_AGENT_API_KEY: "sourcebot-my-key"
                     OPENAI_API_KEY: "sk-proj-my-open-api-key"
         ```

diff --git a/docs/snippets/schemas/v3/app.schema.mdx b/docs/snippets/schemas/v3/app.schema.mdx
@@ -0,0 +1,82 @@
+{/* THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY! */}
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "AppConfig",
+  "oneOf": [
+    {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "type": "object",
+      "title": "GithubAppConfig",
+      "properties": {
+        "type": {
+          "const": "githubApp",
+          "description": "GitHub App Configuration"
+        },
+        "deploymentHostname": {
+          "type": "string",
+          "format": "hostname",
+          "default": "github.com",
+          "description": "The hostname of the GitHub App deployment.",
+          "examples": [
+            "github.com",
+            "github.example.com"
+          ]
+        },
+        "id": {
+          "type": "string",
+          "description": "The ID of the GitHub App."
+        },
+        "privateKey": {
+          "description": "The private key of the GitHub App.",
+          "anyOf": [
+            {
+              "type": "object",
+              "properties": {
+                "secret": {
+                  "type": "string",
+                  "description": "The name of the secret that contains the token."
+                }
+              },
+              "required": [
+                "secret"
+              ],
+              "additionalProperties": false
+            },
+            {
+              "type": "object",
+              "properties": {
+                "env": {
+                  "type": "string",
+                  "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+                }
+              },
+              "required": [
+                "env"
+              ],
+              "additionalProperties": false
+            }
+          ]
+        }
+      },
+      "required": [
+        "type",
+        "id"
+      ],
+      "oneOf": [
+        {
+          "required": [
+            "privateKey"
+          ]
+        },
+        {
+          "required": [
+            "privateKeyPath"
+          ]
+        }
+      ],
+      "additionalProperties": false
+    }
+  ]
+}
+```
diff --git a/docs/snippets/schemas/v3/githubApp.schema.mdx b/docs/snippets/schemas/v3/githubApp.schema.mdx
@@ -0,0 +1,76 @@
+{/* THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY! */}
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "title": "GithubAppConfig",
+  "properties": {
+    "type": {
+      "const": "githubApp",
+      "description": "GitHub App Configuration"
+    },
+    "deploymentHostname": {
+      "type": "string",
+      "format": "hostname",
+      "default": "github.com",
+      "description": "The hostname of the GitHub App deployment.",
+      "examples": [
+        "github.com",
+        "github.example.com"
+      ]
+    },
+    "id": {
+      "type": "string",
+      "description": "The ID of the GitHub App."
+    },
+    "privateKey": {
+      "description": "The private key of the GitHub App.",
+      "anyOf": [
+        {
+          "type": "object",
+          "properties": {
+            "secret": {
+              "type": "string",
+              "description": "The name of the secret that contains the token."
+            }
+          },
+          "required": [
+            "secret"
+          ],
+          "additionalProperties": false
+        },
+        {
+          "type": "object",
+          "properties": {
+            "env": {
+              "type": "string",
+              "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+            }
+          },
+          "required": [
+            "env"
+          ],
+          "additionalProperties": false
+        }
+      ]
+    }
+  },
+  "required": [
+    "type",
+    "id"
+  ],
+  "oneOf": [
+    {
+      "required": [
+        "privateKey"
+      ]
+    },
+    {
+      "required": [
+        "privateKeyPath"
+      ]
+    }
+  ],
+  "additionalProperties": false
+}
+```
diff --git a/docs/snippets/schemas/v3/index.schema.mdx b/docs/snippets/schemas/v3/index.schema.mdx
@@ -4273,6 +4273,89 @@
           }
         ]
       }
+    },
+    "apps": {
+      "type": "array",
+      "description": "Defines a collection of apps that are available to Sourcebot.",
+      "items": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "title": "AppConfig",
+        "oneOf": [
+          {
+            "$schema": "http://json-schema.org/draft-07/schema#",
+            "type": "object",
+            "title": "GithubAppConfig",
+            "properties": {
+              "type": {
+                "const": "githubApp",
+                "description": "GitHub App Configuration"
+              },
+              "deploymentHostname": {
+                "type": "string",
+                "format": "hostname",
+                "default": "github.com",
+                "description": "The hostname of the GitHub App deployment.",
+                "examples": [
+                  "github.com",
+                  "github.example.com"
+                ]
+              },
+              "id": {
+                "type": "string",
+                "description": "The ID of the GitHub App."
+              },
+              "privateKey": {
+                "anyOf": [
+                  {
+                    "type": "object",
+                    "properties": {
+                      "secret": {
+                        "type": "string",
+                        "description": "The name of the secret that contains the token."
+                      }
+                    },
+                    "required": [
+                      "secret"
+                    ],
+                    "additionalProperties": false
+                  },
+                  {
+                    "type": "object",
+                    "properties": {
+                      "env": {
+                        "type": "string",
+                        "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+                      }
+                    },
+                    "required": [
+                      "env"
+                    ],
+                    "additionalProperties": false
+                  }
+                ],
+                "description": "The private key of the GitHub App."
+              }
+            },
+            "required": [
+              "type",
+              "id"
+            ],
+            "oneOf": [
+              {
+                "required": [
+                  "privateKey"
+                ]
+              },
+              {
+                "required": [
+                  "privateKeyPath"
+                ]
+              }
+            ],
+            "additionalProperties": false
+          }
+        ]
+      }
     }
   },
   "additionalProperties": false

diff --git a/packages/backend/package.json b/packages/backend/package.json
@@ -24,6 +24,7 @@
     "dependencies": {
         "@coderabbitai/bitbucket": "^1.1.3",
         "@gitbeaker/rest": "^40.5.1",
+        "@octokit/app": "^16.1.1",
         "@octokit/rest": "^21.0.2",
         "@sentry/cli": "^2.42.2",
         "@sentry/node": "^9.3.0",