A minimal bash script for deploying private GitHub repositories to a server using a GitHub App — no deploy keys, no personal access tokens.
- Generates a short-lived JWT from your GitHub App credentials
- Exchanges it for an installation token (valid ~1 hour)
- Clones or pulls the target repository
- Clears the token from the remote URL immediately after
bashgitcurlopenssl
- GitHub → Your Org → Settings → Developer Settings → GitHub Apps → New GitHub App
- Disable webhooks
- Permissions → Repository → Contents: Read-only
- After creating: note the App ID and generate a private key
- GitHub App page → Install → select the target repository
- Note the Installation ID from the URL after installing:
https://github.com/organizations/your-org/settings/installations/12345678
curl -fsSL https://raw.githubusercontent.com/iMargusLabs/github-deploy/main/github-deploy.sh \
-o /usr/local/bin/github-deploy.sh
chmod +x /usr/local/bin/github-deploy.shmkdir -p /etc/github-deploy
cp your-app.pem /etc/github-deploy/private-key.pem
chmod 600 /etc/github-deploy/private-key.pem
cp .env.example /etc/github-deploy/.env
# edit /etc/github-deploy/.env.env reference:
GITHUB_APP_ID=123456
GITHUB_INSTALLATION_ID=78901234
GITHUB_APP_PRIVATE_KEY_PATH=/etc/github-deploy/private-key.pem
REPO=org/repo-name
BRANCH=main
DEPLOY_PATH=/opt/deploygithub-deploy.shOverride the env file location if needed:
ENV_FILE=/custom/path/.env github-deploy.sh0 * * * * /usr/local/bin/github-deploy.sh >> /var/log/github-deploy.log 2>&1- The private key should be readable only by root:
chmod 600 /etc/github-deploy/private-key.pem - The
.envfile should also be restricted:chmod 600 /etc/github-deploy/.env - Installation tokens are short-lived and cleared from the git remote immediately after use
- The GitHub App has read-only access scoped to specific repositories only