GitHub Repositories Help

Repositories Back to Settings
Single Source

One repository registry powers release correlation, dependency backfill, CVE context, and onboarding issue automation.

Polling First

Default integration uses GitHub read APIs with conditional requests for efficient, approval-friendly operation.

Realtime Optional

Realtime push/webhook support is optional and managed with explicit API key lifecycle controls.

What This Page Controls

Repositories configured here are reused across onboarding, CVE enrichment, release metadata, and repo-health context.

  • Owner/repository values are normalized to avoid duplicate integrations.
  • Repo-scoped PATs can be stored for private-repo reads.
  • Release rows and dependency metadata use this mapping for version-scoped CVE analysis.
Integration Modes

Mode A: Polling (default)

  • No CI workflow edits required.
  • Sobs queries GitHub using conditional GETs (`ETag` / `If-None-Match`) to keep polling efficient.
  • Best when CI outbound integrations are restricted or pending approval.

Mode B: Realtime Push (optional)

  • CI pushes release metadata to Sobs using a managed ingest API key.
  • Optional webhook setup can reduce refresh latency further.
  • Keep polling enabled as fallback in case webhook/CI push fails.
Token And Key Lifecycle
  • GitHub PAT: used for read operations (repo inspection, runs/checks, metadata retrieval).
  • Sobs ingest API key: used only when realtime CI push mode is enabled.
  • Rotate ingest keys periodically and set finite expiry windows.
  • Revoke ingest keys immediately when ownership, CI pipelines, or trust boundaries change.
  • Validate PAT status after updates to avoid silent enrichment gaps.
Why Manual Realtime Setup Exists

Automated CI recommendations can still fail in enterprise GitHub environments. Common causes:

  • Workflow secrets are blocked by environment or branch protections.
  • Organization policies require manual approval for outbound destinations.
  • Fork and contributor protections suppress secret access in CI.
  • Network egress controls block calls from runners to Sobs endpoints.
Realtime Setup Runbook
  1. Enable realtime support per repository from that repository's Manage row.
  2. Rotate/generate CI ingest API key per repository and copy each key once.
  3. Add CI secrets: SOBS_URL, SOBS_INGEST_API_KEY, SOBS_APP_ID.
  4. Add the provided curl release-registration step to CI.
  5. Optionally configure GitHub webhook for push/workflow events.
  6. Verify data flow by confirming new releases and CVE context in Sobs.
Troubleshooting
  • If polling appears stale, validate PAT permissions and token expiry first.
  • If realtime push fails, confirm ingest key validity, expiry state, and CI secret injection.
  • If webhook deliveries fail, inspect webhook delivery logs and keep polling fallback enabled.
  • If releases do not appear, verify app ID usage and version naming consistency in CI payloads.