This guide walks you through creating and configuring a GitHub App for Jules Task Queue.
GitHub Apps provide a more secure and scalable way to integrate with GitHub repositories compared to personal access tokens. With a GitHub App:
- Users can install your app on specific repositories
- The app only gets permissions for repositories where it's installed
- Webhooks are automatically configured when the app is installed
- Token management is handled automatically
- GitHub account with permission to create apps (personal or organization)
- Access to your Jules Task Queue deployment URL
- Basic understanding of GitHub Apps and webhooks
For Personal Account:
- Go to GitHub New App
For Organization:
- Go to your organization settings
- Click "Developer settings" in the left sidebar
- Click "GitHub Apps"
- Click "New GitHub App"
GitHub App name: Jules Task Queue (or your preferred name)
Description:
Automated task queue management for Jules interactions. Monitors issue labels and manages task processing workflows.
Homepage URL:
https://github.com/ihildy/jules-task-queue
User authorization callback URL:
https://YOUR-DOMAIN.com/github-app/success
This URL is where users will be redirected after successfully installing your GitHub App. The Jules Task Queue app includes a styled success page that provides next steps and usage instructions.
Replace your-domain.com with your actual deployment URL:
- Vercel:
https://your-app-name.vercel.app/github-app/success - Firebase:
https://your-backend-id--your-project-id.us-central1.hosted.app/github-app/success - Self-hosted:
https://your-domain.com/github-app/success
User Authorization Options:
- ✅ Expire user authorization tokens - Provides a
refresh_tokenfor updated access tokens when they expire - ✅ Request user authorization (OAuth) during installation - CHECK THIS BOX. This enables the app to request user-level permissions during installation, allowing Jules to respond to automated label changes.
- ⬜ Enable Device Flow - Leave unchecked unless you need device-based authentication
Setup URL (optional):
https://your-domain.com/github-app/success
Post-installation Options:
- ✅ Redirect on update - Redirect users to the 'Setup URL' after installations are updated (e.g. repositories added/removed)
✅ Active - We will deliver event details when this hook is triggered.
Webhook URL:
https://your-domain.com/api/webhooks/github-app
Replace your-domain.com with your actual deployment URL:
- Vercel:
https://your-app-name.vercel.app/api/webhooks/github-app - Firebase:
https://your-backend-id--your-project-id.us-central1.hosted.app/api/webhooks/github-app - Self-hosted:
https://your-domain.com/api/webhooks/github-app
Webhook secret: Generate a strong random string (save this for later)
# Generate a webhook secret **(save this for later)**
openssl rand -hex 32SSL verification: ✅ Enable SSL verification (Recommended for production)
Set the following permissions for your GitHub App:
- Issues:
Read and write- Reason: Read issue details, add comments, manage labels, and automatically create 'jules' and 'jules-queue' labels when installed
- Metadata:
Read(Required by GitHub)- Reason: Access basic repository information and validate repository access
(None required)
(None required)
Subscribe to the following events:
- Issues ✅
- Reason: Detect when 'jules' or 'jules-queue' labels are added/removed
- Issue comments ✅
- Reason: Monitor Jules interactions and comment processing
Where can this GitHub App be installed?
- Select "Any account" for public use
- Select "Only on this account" for personal/organization use only
Click "Create GitHub App" to create your app.
After creating the app:
- Scroll down to the "Private keys" section
- Click "Generate a private key"
- A
.pemfile will be downloaded to your computer - Keep this file secure - it's used to authenticate your app
After creating the app, note down these values (you'll need them for configuration):
- App ID: Found at the top of your app's settings page
- Client ID: Found in the "About" section
- Client Secret: Click "Generate a new client secret" in the "Client secrets" section
- Webhook Secret: The secret you generated in step 1.3
- Private Key: The
.pemfile you downloaded
Add these environment variables to your deployment:
# GitHub App Configuration
NEXT_PUBLIC_GITHUB_APP_ID="123456" # Your App ID
GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
...your private key content...
-----END RSA PRIVATE KEY-----" # Content of your .pem file
GITHUB_APP_WEBHOOK_SECRET="your-webhook-secret"
GITHUB_APP_CLIENT_ID="Iv1.your-client-id" # For OAuth flow to get user access tokens
GITHUB_APP_CLIENT_SECRET="your-client-secret" # For OAuth flow to get user access tokens
GITHUB_APP_CALLBACK_URL="https://your-domain.com/api/auth/callback/github" # Callback URL for OAuthThe private key needs special formatting for environment variables:
Option 1: Base64 Encode (Recommended)
# Encode your private key
base64 -i your-app-name.private-key.pem
# Use the encoded value
GITHUB_APP_PRIVATE_KEY="LS0tLS1CRUdJTi..."Option 2: Inline with Newlines
# Replace actual newlines with \n
GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...\n-----END RSA PRIVATE KEY-----"- Go to your project settings → Environment Variables
- Add each environment variable
- Redeploy your application
# Set each secret
firebase apphosting:secrets:set NEXT_PUBLIC_GITHUB_APP_ID
firebase apphosting:secrets:set GITHUB_APP_PRIVATE_KEY
firebase apphosting:secrets:set GITHUB_APP_WEBHOOK_SECRET
firebase apphosting:secrets:set GITHUB_APP_CLIENT_ID
firebase apphosting:secrets:set GITHUB_APP_CLIENT_SECRET
# Deploy
firebase deploy --only apphostingAdd to your .env file or environment:
NEXT_PUBLIC_GITHUB_APP_ID="123456"
GITHUB_APP_PRIVATE_KEY="your-private-key-here"
GITHUB_APP_WEBHOOK_SECRET="your-webhook-secret"
GITHUB_APP_CLIENT_ID="Iv1.your-client-id"
GITHUB_APP_CLIENT_SECRET="your-client-secret"- Go to your GitHub App's public page:
https://github.com/apps/your-app-name - Click "Install"
- Choose which repositories to install it on
- Complete the installation
-
Check your app's webhook deliveries in GitHub:
- Go to your app settings
- Click "Advanced" → "Recent Deliveries"
- You should see installation events
-
Check your application logs for webhook processing
- After installing the app, check that the following labels are automatically created:
- jules - Purple label (
#642cc2) for issues that Jules should process - jules-queue - Cyan label (
#00d3f2) for issues queued for Jules processing
- jules - Purple label (
- For installations with many repositories (>10), labels are created in batches with rate limiting to prevent API issues
- If labels weren't created, check your app logs for permission errors
- Create a test issue in a repository where your app is installed
- Add the "jules" label to the issue (should be available in the label dropdown)
- Check that:
- The webhook is received and processed
- A task is created in your database
- The system processes Jules comments correctly
Regularly check your GitHub App's webhook deliveries for failures:
- Go to your app settings
- Click "Advanced" → "Recent Deliveries"
- Investigate any failed deliveries
Track which repositories have your app installed:
- Use the
/api/admin/installationsendpoint (if implemented) - Check your database's
github_installationstable - Monitor installation/uninstallation events in your logs
If you need to add new permissions:
- Update your GitHub App's permissions in settings
- Users will need to approve the new permissions
- Test with updated permissions
- Verify webhook URL is accessible from GitHub
- Check webhook secret matches your configuration
- Ensure app is installed on the target repository
- Check GitHub's webhook delivery logs
- Verify private key format (no extra whitespace, correct newlines)
- Check App ID matches your configuration
- Ensure app has required permissions
- Verify installation is active (not suspended)
- Check app has required repository permissions
- Verify app is installed on the target repository
- Ensure repository is not in a suspended installation
- Verify the app has "Issues: Write" permission
- Check application logs for label creation errors
- Labels may already exist if they were created manually
- Installation events should trigger automatic label creation
- For large repositories (>10), label creation uses batching and rate limiting
Test your GitHub App configuration:
# Test app authentication
curl -H "Authorization: Bearer $(your-jwt-token)" \
https://api.github.com/app
# Test installation access
curl -H "Authorization: Bearer $(installation-token)" \
https://api.github.com/installation/repositories
# Test webhook endpoint
curl -X GET https://your-domain.com/api/webhooks/github-appIf you encounter issues:
- Check the GitHub Apps documentation
- Review your application logs for error messages
- Test webhook deliveries using GitHub's interface
- Verify your environment variables are correctly set
-
Private Key Security
- Never commit private keys to version control
- Use secure environment variable storage
- Rotate keys periodically
-
Webhook Security
- Always verify webhook signatures
- Use strong webhook secrets
- Validate payload structure
-
Permission Minimization
- Only request necessary permissions
- Review permissions regularly
- Use installation-specific tokens
-
Monitoring
- Monitor webhook delivery failures
- Log authentication failures
- Alert on suspicious activity
After setting up your GitHub App:
- Public Listing: Consider making your app publicly available in the GitHub Marketplace
- Enhanced Features: Add OAuth user authentication for personalized experiences
- Analytics: Implement usage analytics and monitoring
- Documentation: Create user-facing documentation for app installation and usage