wololo
Get access

GitHub App Security Model

Wololo uses a per-org GitHub App model (Pattern B). Understanding why this matters helps you make an informed trust decision about your code.

Pattern A vs Pattern B

Most SaaS platforms use a single shared GitHub App registered under the platform's org. When you click "Install Vercel" or "Install Linear", you're granting their App access to your repos — they hold the credentials.

Wololo uses Pattern B: you register a GitHub App on your own GitHub org. You hold the private key (stored in your GCP Secret Manager). Wololo never sees it.

PropertyPattern A (shared)Pattern B (per-org) ← Wololo
Who holds the private keyPlatform (Wololo)You (your GCP Secret Manager)
Repo scopeAll repos you grantExactly what you select at install time
RevocationUninstall in GitHub SettingsUninstall in GitHub Settings or delete key from Secret Manager
Audit trailPlatform's logsYour GitHub org's App activity log
Onboarding frictionOne clickOne extra step (~2 min)

Token lifecycle

A GitHub App registration is permanent — it never expires. What rotates is the installation token used for API calls:

GitHub App (permanent, registered once on your org)
  └── private_key (in your GCP Secret Manager)
      └── platform signs JWT → exchanges for installation token (1hr TTL)
          └── agents use token for clone / push / PR
          └── token expires → platform mints a new one automatically
              No human in the loop. No rotation needed.

Security properties you get

  • 🔒 You own the private key — it lives in YOUR GCP project, never on Wololo's servers
  • 🔒 Repo scope is explicit — you choose which repos at install time; Wololo cannot touch anything outside that list
  • 🔒 No long-lived tokens — installation tokens expire in 1hr and are auto-refreshed
  • 🔒 Instant revocation — uninstall the App in GitHub settings and all agent access stops immediately
  • 🔒 Audit trail on your terms — GitHub logs every API call the App makes, visible in your org's security log

What happens if I lose the private key?

Delete the key from GCP Secret Manager, go to your GitHub App settings (Developer settings → GitHub Apps → your App → General → Private keys), generate a new one, and upload it to Secret Manager. The App registration itself is unchanged — only the active signing credential rotates. Agents will resume normal operation on the next token refresh.

Dashboard settings for key rotation are planned (#156).

Setup

See GitHub App Setup for the step-by-step walkthrough.