Skip to main content

Hermes plugin for per-agent GitHub App identity, gh/git wrappers, and GitHub App-aware tools.

Project description

Hermes GitHub App Plugin

Hermes plugin for using per-agent GitHub App identities instead of a human gh/SSH identity.

Each Hermes agent runs the same package but is configured with its own GitHub App:

github_app:
  client_id: "Iv1.exampleclientid"
  installation_id: "987654"
  private_key_path: "~/.hermes/secrets/agent-github-app.private-key.pem"
  app_slug: "hermes-agent"

Environment variables with the same meaning are also supported:

  • GITHUB_APP_CLIENT_ID
  • GITHUB_APP_INSTALLATION_ID
  • GITHUB_APP_PRIVATE_KEY_PATH
  • GITHUB_APP_PRIVATE_KEY (PEM contents; useful for CI)

Repository access is controlled by the GitHub App installation scope in GitHub. If an agent should not access a repository, remove that repository from the GitHub App installation scope.

Client ID vs. installation ID

client_id identifies the GitHub App registration. GitHub recommends using the GitHub App client ID as the JWT iss claim when authenticating as an app.

installation_id identifies one installation of that app on a specific user or organization account. It is required when exchanging the app JWT for an installation access token via POST /app/installations/{installation_id}/access_tokens.

In other words: client_id answers "which GitHub App is signing this JWT?" while installation_id answers "which installed copy of that app should this token act as?" The same GitHub App can have multiple installation IDs if it is installed on multiple accounts.

Install

pip install hermes-github-app-plugin
hermes plugins enable github-app
hermes-github-app setup
hermes-github-app doctor --repo OWNER/REPO

setup walks through the required values one by one. Optional prompts are explicitly marked with (optional):

GitHub App client ID:
GitHub App installation ID:
GitHub App private key path:
GitHub App slug (optional):

For scripted installs, pass flags and skip the network verification until secrets are mounted:

hermes-github-app setup --non-interactive --skip-verify \
  --client-id Iv1.exampleclientid \
  --installation-id 987654 \
  --private-key-path ~/.hermes/secrets/agent-github-app.private-key.pem \
  --app-slug hermes-agent

doctor checks local installation state and, unless --skip-network is set, verifies that an installation token can be minted and the optional repository probe is reachable.

CLI and wrappers

hermes-github-app setup
hermes-github-app doctor --repo OWNER/REPO
hermes-github-app status
hermes-github-app token --repo OWNER/REPO
hermes-github-app api --repo OWNER/REPO /repos/OWNER/REPO

gh-app --repo OWNER/REPO pr list -R OWNER/REPO
git-app --repo OWNER/REPO push origin my-branch

gh-app injects an ephemeral installation token as GH_TOKEN and GITHUB_TOKEN for the child gh process. git-app injects a temporary askpass helper so HTTPS Git operations authenticate as the GitHub App installation token without writing credentials into the remote URL.

Migrating existing Hermes skills and jobs

To keep agents from falling back to local human credentials, update existing GitHub-related Hermes skills, cron jobs, and subagent prompts with these rules:

  • Use github_app_* tools for GitHub API operations when possible.
  • Replace authenticated gh ... examples with gh-app --repo OWNER/REPO -- ....
  • Replace git push examples with git-app --repo OWNER/REPO -- push ..., or another HTTPS credential-helper flow backed by a freshly minted installation token.
  • Do not use gh auth status as proof of write identity; it reports local gh credentials and may show a human account.
  • Avoid SSH remotes for bot-managed worktrees. SSH uses local SSH keys, not the GitHub App token.
  • Add a pre-write check with github_app_verify_identity or hermes-github-app status --repo OWNER/REPO.
  • Avoid @me assumptions because the GitHub App bot is not the human operator.
  • Require write summaries to include the returned auth_mode, app_slug, installation_id, repository, operation, and URL/path.

Releasing to PyPI

The package is built with Hatchling and publishes through the CD GitHub Actions workflow using PyPI Trusted Publishing / OIDC. The workflow listens to all pushed tags but only builds and publishes when the tag matches:

^[0-9]+\.[0-9]+\.[0-9]+$

The tag must also match project.version in pyproject.toml.

Before the first release, configure PyPI Trusted Publishing for this repository and workflow:

  • PyPI project name: hermes-github-app-plugin
  • Owner/repository: this GitHub repository
  • Workflow name: cd.yaml
  • Environment name: pypi

Release example:

git tag 0.1.2
git push origin 0.1.2

Tags like v0.1.0, 0.1, or 0.1.0rc1 will not publish.

Hermes tools

The plugin registers these tools:

  • github_app_status
  • github_app_verify_identity
  • github_app_api
  • github_app_graphql
  • github_app_create_issue
  • github_app_comment_issue
  • github_app_create_pr
  • github_app_comment_pr

All mutating tools return auth metadata showing App mode, installation ID, app slug, and target repository.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hermes_github_app_plugin-0.1.2.tar.gz (17.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hermes_github_app_plugin-0.1.2-py3-none-any.whl (18.0 kB view details)

Uploaded Python 3

File details

Details for the file hermes_github_app_plugin-0.1.2.tar.gz.

File metadata

  • Download URL: hermes_github_app_plugin-0.1.2.tar.gz
  • Upload date:
  • Size: 17.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for hermes_github_app_plugin-0.1.2.tar.gz
Algorithm Hash digest
SHA256 15fc0917c4e735a90c0fd83038fd831eb70e17032260f8bfa1e9677c73d8ea9a
MD5 319105be3925993311dfeb86dfe04f8c
BLAKE2b-256 58f528c377360ee45b232b08f640921795835f60549cbac9bc9eb58171911612

See more details on using hashes here.

Provenance

The following attestation bundles were made for hermes_github_app_plugin-0.1.2.tar.gz:

Publisher: cd.yaml on PickNikRobotics/hermes_github_app_plugin

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hermes_github_app_plugin-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for hermes_github_app_plugin-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 bdea5d86169af91f7cc10b59714bc9737a786bd8c1cfe03b449520b694b74351
MD5 d3d9dbae89f89f209fd6b1466210b65d
BLAKE2b-256 9191581fee9a7a630af76e779bda192bf67846c24d6fa0da7affdc41782f0738

See more details on using hashes here.

Provenance

The following attestation bundles were made for hermes_github_app_plugin-0.1.2-py3-none-any.whl:

Publisher: cd.yaml on PickNikRobotics/hermes_github_app_plugin

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page