@@ -237,22 +237,127 @@ access to the repository. To push changes back, you still need to add
237237the Hosted Weblate :guilabel: `weblate ` GitHub user as a collaborator with write
238238access, see :ref: `hosted-push `.
239239
240- For self-hosted Weblate, create a GitHub App on each GitHub host you want
241- Weblate to connect to and configure :setting: `GITHUB_APP_CREDENTIALS ` with the
242- app ID, app slug, private key, and webhook secret from that app.
243-
244- When creating the GitHub App, copy :guilabel: `App ID ` from the app settings,
245- use the slug from the app URL as ``app_slug ``, generate a private key and use
246- its PEM contents as ``private_key ``, and choose a webhook secret to store as
247- ``webhook_secret ``.
240+ For self-hosted Weblate, you can either use the in-app registration flow to
241+ create the GitHub App with one click (recommended), or create the App manually
242+ on each GitHub host you want Weblate to connect to and configure
243+ :setting: `GITHUB_APP_CREDENTIALS ` with the app ID, app slug, private key, and
244+ webhook secret from that app.
245+
246+ Registering the GitHub App from Weblate
247+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
248+
249+ The fastest way to add the GitHub App is to let Weblate generate a GitHub App
250+ manifest with the correct permissions, events, and webhook URL pre-filled:
251+
252+ 1. Sign in to Weblate with an account that has management access.
253+ 2. Open :guilabel: `Manage → Connected GitHub accounts → Register Weblate GitHub
254+ App `.
255+ 3. Fill in the form. The :guilabel: `GitHub host ` defaults to ``github.com ``;
256+ change it to your GitHub Enterprise hostname if needed. Leave
257+ :guilabel: `Organization ` blank to register the App under your personal
258+ account, or enter an organization slug to register it under that org.
259+ 4. Click :guilabel: `Continue to GitHub ` and confirm on GitHub's
260+ :guilabel: `Create GitHub App ` page (you can still rename the App there).
261+ 5. GitHub redirects back to Weblate, which exchanges the temporary code for
262+ the App ID, private key, webhook secret, and slug and stores them in the
263+ database. The :guilabel: `Connect GitHub account ` button is available
264+ immediately afterwards.
265+
266+ Database-stored credentials always take precedence over values in
267+ :setting: `GITHUB_APP_CREDENTIALS `, so the in-app flow can be used to update
268+ credentials on a Weblate instance that originally configured the App through
269+ settings.
270+
271+ Registering the GitHub App manually
272+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
273+
274+ Open :guilabel: `Settings → Developer settings → GitHub Apps → New GitHub App `
275+ on the GitHub host where the app should live, and fill in the following:
276+
277+ * :guilabel: `GitHub App name ` — for example ``Weblate ``.
278+ * :guilabel: `Homepage URL ` — your Weblate instance URL.
279+ * :guilabel: `Callback URL ` —
280+ ``https://weblate.example.com/integrations/github/setup/ ``. This is where
281+ GitHub sends users after they pick the account to install on; without it,
282+ GitHub leaves them on the GitHub installation settings page.
283+ * :guilabel: `Redirect on update ` — check this so updates to an existing
284+ installation also redirect to the callback URL above and refresh the cached
285+ repository list in Weblate.
286+ * :guilabel: `Setup URL (optional) ` — same value as the callback URL.
287+ * :guilabel: `Webhook URL ` — ``https://weblate.example.com/hooks/github-app/ ``.
288+ For multiple GitHub hosts add ``?host=github.example.com `` (see the
289+ :ref: `webhook section <code-hosting-github-app-webhook >` below).
290+ * :guilabel: `Webhook secret ` — a long random string. Store the same value as
291+ ``webhook_secret `` in :setting: `GITHUB_APP_CREDENTIALS `.
292+
293+ Required :guilabel: `Repository permissions `:
294+
295+ * :guilabel: `Contents ` — :guilabel: `Read and write ` (clone, push translation
296+ branches).
297+ * :guilabel: `Metadata ` — :guilabel: `Read-only ` (mandatory baseline).
298+ * :guilabel: `Pull requests ` — :guilabel: `Read and write ` (open translation
299+ pull requests).
300+ * :guilabel: `Workflows ` — :guilabel: `Read and write ` (only required if any of
301+ the synced repositories contain GitHub Actions workflow files; otherwise
302+ pushes to those paths are rejected).
303+
304+ Required :guilabel: `Subscribe to events `:
305+
306+ * :guilabel: `Installation target ` and :guilabel: `Meta ` (account/app lifecycle).
307+ * :guilabel: `Push ` (translation source updates).
308+
309+ Choose :guilabel: `Any account ` if you want the app to be installable on other
310+ accounts, or :guilabel: `Only on this account ` to restrict it.
311+
312+ After registering, generate a private key, copy :guilabel: `App ID ` and the slug
313+ from the app URL, and feed all four values into
314+ :setting: `GITHUB_APP_CREDENTIALS `:
315+
316+ .. code-block :: python
317+
318+ GITHUB_APP_CREDENTIALS = {
319+ " github.com"
320+ " app_id" " 12345"
321+ " app_slug" " your-app-slug"
322+ " private_key" " -----BEGIN RSA PRIVATE KEY-----\n ..."
323+ " webhook_secret" " the same secret you set in the app"
324+ },
325+ }
326+
327+
328+ request the app. If an organization is not shown during the install flow, check
329+ the user's organization role and the organization's GitHub App installation
330+ restrictions. On GitHub.com, public apps can be installed on other accounts;
331+ private apps can only be installed on the account that owns the app.
332+
333+ Connecting a workspace
334+ ^^^^^^^^^^^^^^^^^^^^^^
335+
336+ Connected GitHub accounts are bound to a Weblate :ref: `workspace `. A user with
337+ project administration rights for any project in a workspace can connect a
338+ GitHub account on that workspace. After connecting, every project in the
339+ workspace can import components from repositories the app installation has
340+ access to.
341+
342+ Projects that are not in a workspace cannot connect a GitHub App installation.
343+
344+ Components imported through the GitHub App flow use the dedicated
345+ :guilabel: `GitHub (via Weblate GitHub app) ` VCS backend. The component
346+ settings UI keeps the repository URL read-only to prevent the App-issued
347+ credentials from being redirected to an unrelated repository.
348+
349+ .. _code-hosting-github-app-webhook :
350+
351+ App webhook URL
352+ ^^^^^^^^^^^^^^^
248353
249354In the GitHub App webhook settings, enable webhooks and use the Weblate
250- GitHub hook URL as the :guilabel: `Webhook URL `. When Weblate is configured for
251- multiple GitHub hosts, include the GitHub host in the URL query string:
355+ GitHub App hook URL as the :guilabel: `Webhook URL `. When Weblate is configured
356+ for multiple GitHub hosts, include the GitHub host in the URL query string:
252357
253358.. code-block :: text
254359
255- https://weblate.example.com/hooks/github/?host=github.example.com
360+ https://weblate.example.com/hooks/github-app /?host=github.example.com
256361
257362host `` value has to match the host key in :setting: `GITHUB_APP_CREDENTIALS `.
258363Use ``github.com `` for GitHub.com and the web hostname for GitHub Enterprise
@@ -284,6 +389,7 @@ types and consumes just the :guilabel:`push` event.
284389.. seealso ::
285390
286391 * :http:post: `/hooks/github/ `
392+ * :http:post: `/hooks/github-app/ `
287393 * :setting: `GITHUB_APP_CREDENTIALS `
288394 * :ref: `hosted-push `
289395
0 commit comments