[Feat] GitHub App Provider

[RichardAnderson]

DISCLAIMER

This is NOT the complete functionality. In order to keep PRs smaller, this PR ONLY handles the registration of a GitHub app within Vito, and manages installs as Source Control records - while the listing of repos and branches DOES work, this PR does NOT include deployments (which are planned to use short-lived tokens, instead of deployment keys), as this will be another major refactor, which will come as part of a separate PR.

Overview

This pull request introduces comprehensive support for managing GitHub App-based source control integrations. It adds new actions for creating, editing, importing, syncing, and removing GitHub App installations, as well as a webhook controller for handling GitHub App events. The update also includes improvements to validation, command-line tools, and scheduled syncing to ensure local state remains consistent with GitHub.

GitHub App integration and management:

• Added CreateGithubAppFromManifest and CreateGithubAppManually actions for registering a GitHub App via manifest or manual input, with validation and error handling.
• Added ImportGithubAppInstallation action to import a GitHub App installation as a SourceControl entry, including logic to update or restore existing records.
• Added RemoveGithubApp action to safely remove a GitHub App and its associated source controls, ensuring no sites are attached.
• Added EditGithubAppSourceControl action for editing the project association of a GitHub App source control.

Synchronization and automation:

• Added SyncGithubAppInstallations action and command (SyncGithubAppInstallationsCommand) to reconcile local installations with those on GitHub, tracking added, removed, and kept installations. Scheduled this sync to run every 4 hours via the console kernel.

Webhook handling:

• Introduced GithubAppWebhookController to handle GitHub App webhook events, including installation creation, deletion, suspension, and repository changes, with signature verification and error logging.

Source control API and validation improvements:

• Updated SourceControlController to delegate editing to the appropriate action based on whether the source control is a GitHub App.
• Improved validation so only connectable providers can be selected when connecting a new source control.
• Prevented deletion of GitHub App source controls from within the application, directing users to uninstall via GitHub instead.
• Made project association logic in editing actions more robust for nullable users.

UI

• Introduces a new Admin section for registering the GitHub application against your instance of vito.
  • Supports automatic registration, where vito handles the registration, setting of permissions, downloading of secrets, etc. however, this requires webhook functionality, and will therefore only work when vito is publically accessible to the internet.
  • Supports manual registration, where the user is guided through the process of creating the app manually in order to register it, this is suitable for non-public or local installations of vito, however, as per the previous PAT implementation, webhook functionality won't work.

Automatic Registration

Manual Registration

[Copilot]

Pull request overview

This PR adds GitHub App-based source control registration and installation management to Vito, including admin UI, provider integration, webhook handling, sync automation, persistence, and tests.

Changes:

• Adds GitHub App model, migrations, actions, provider, admin controller/page, webhook controller, and scheduled sync command.
• Updates source control registration, validation, policies, resources, and UI to account for GitHub App installations.
• Adds tests covering setup, install import, sync, webhook handling, and source-control protections.

Reviewed changes

Copilot reviewed 35 out of 37 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
tests/Feature/GithubAppTest.php	Adds feature coverage for GitHub App flows.
resources/js/types/source-control.d.ts	Adds GitHub App source-control metadata types.
resources/js/types/index.d.ts	Extends shared config typings for GitHub App/source-control flags.
resources/js/pages/source-controls/index.tsx	Adds GitHub App install entry point to source controls page.
resources/js/pages/source-controls/components/connect-source-control.tsx	Filters non-connectable providers from manual connect UI.
resources/js/pages/source-controls/components/columns.tsx	Adjusts edit/delete/manage actions for GitHub App source controls.
resources/js/pages/github-app/index.tsx	Adds admin UI for automatic/manual GitHub App setup and management.
resources/js/layouts/admin/layout.tsx	Adds GitHub App admin navigation item.
resources/js/components/copyable-field.tsx	Adds reusable copy-to-clipboard field.
database/migrations/2026_05_16_095752_add_external_identifier_to_source_controls_table.php	Adds external identifier for provider-managed source controls.
database/migrations/2026_05_16_095532_create_github_app_table.php	Adds persisted GitHub App configuration table.
database/factories/SourceControlFactory.php	Adds GitHub App source-control factory state.
database/factories/GithubAppFactory.php	Adds GitHub App factory.
app/SourceControlProviders/GithubApp.php	Adds GitHub App source-control provider implementation.
app/Providers/SourceControlServiceProvider.php	Registers GitHub App source-control provider.
app/Policies/SourceControlPolicy.php	Prevents deleting GitHub App source controls through standard policy.
app/Plugins/RegisterSourceControl.php	Adds connectable/site-usable provider flags.
app/Models/SourceControl.php	Adds GitHub App provider constant and external identifier support.
app/Models/GithubApp.php	Adds GitHub App model with encrypted secrets.
app/Http/Resources/SourceControlResource.php	Exposes GitHub App source-control metadata.
app/Http/Middleware/VerifyCsrfToken.php	Excludes GitHub App webhook endpoint from CSRF.
app/Http/Middleware/HandleInertiaRequests.php	Shares GitHub App installed state with frontend.
app/Http/Controllers/SourceControlController.php	Routes GitHub App source-control edits to specialized action.
app/Http/Controllers/API/SourceControlController.php	Handles GitHub App edits in deprecated project-scoped API.
app/Http/Controllers/API/GithubAppWebhookController.php	Adds GitHub App webhook handling and signature verification.
app/Http/Controllers/Admin/GithubAppController.php	Adds admin routes for setup, install callback, sync, and removal.
app/Console/Kernel.php	Schedules GitHub App installation sync.
app/Console/Commands/SyncGithubAppInstallationsCommand.php	Adds CLI sync command.
app/Actions/SourceControl/EditSourceControl.php	Makes project association more nullable-safe.
app/Actions/SourceControl/DeleteSourceControl.php	Blocks standard deletion of GitHub App source controls.
app/Actions/SourceControl/ConnectSourceControl.php	Validates only connectable providers for manual source-control creation.
app/Actions/GithubApp/SyncGithubAppInstallations.php	Adds remote/local installation reconciliation.
app/Actions/GithubApp/RemoveGithubApp.php	Adds GitHub App removal workflow.
app/Actions/GithubApp/ImportGithubAppInstallation.php	Adds installation import/restore logic.
app/Actions/GithubApp/EditGithubAppSourceControl.php	Adds GitHub App source-control project-scope editing.
app/Actions/GithubApp/CreateGithubAppManually.php	Adds manual GitHub App creation action.
app/Actions/GithubApp/CreateGithubAppFromManifest.php	Adds manifest conversion creation action.

Comments suppressed due to low confidence (2)

app/Http/Controllers/Admin/GithubAppController.php:178

• The manifest only subscribes the app to push, but this PR's webhook controller relies on installation and installation_repositories events to import, delete, suspend, and bust repository caches. Apps created through the automatic flow will not receive those lifecycle events, so local installation state will only be corrected by the periodic sync.

            'default_events' => [
                'push',
            ],

app/Actions/GithubApp/RemoveGithubApp.php:29

• Removing the app deletes the GitHub App source-control rows without clearing their github_app_token_*/repository caches. If the instance is reconfigured and an installation with the same ID is imported before those cache entries expire, the new provider can reuse a stale installation token or repo list from the removed app.

        DB::transaction(function (): void {
            SourceControl::query()
                ->where('provider', SourceControl::PROVIDER_GITHUB_APP)
                ->get()
                ->each(fn (SourceControl $sc) => $sc->forceDelete());