GitHub repository provisioning
Propagate forks upstream Prisma app repos into the operator’s target GitHub organisation before linking them to Vercel.
Objective
For each selected app, create (or reuse) a fork of the upstream repository in provider.github.targetOrg. The fork naming convention is:
{deployment.slug}-{appSlug}Example: acme-corp-timelining in org client-org.
Authentication
Forking uses the Propagate GitHub App installed on the target org — not an operator PAT.
During propagate create, propagate apply, or propagate auth github, the operator installs the app via a browser flow on propagate.prisma.events . The CLI stores the installation record in .propagate/credentials.json:
{
"github": {
"installationId": 12345678,
"targetOrg": "client-org",
"credentialRef": "...",
"installedAt": "..."
}
}At apply and destroy, the CLI requests a short-lived installation access token from the auth server and passes it to Pulumi as GITHUB_TOKEN. The token is scoped to the installed org and expires after ~1 hour.
The app must have permission to create and delete repositories in the target organisation. Public upstream repos (prisma-collective/*) do not require a separate install on the source org.
Implementation
Forking is handled by a Pulumi dynamic resource (GitHubFork in packages/infra) that calls the GitHub REST API:
POST /repos/{owner}/{repo}/forkswith organization set to the target org.
Flow
- CLI ensures GitHub App is installed on
provider.github.targetOrg - CLI mints installation token from auth server
- Pulumi
GitHubForkchecks if{targetOrg}/{forkName}already exists — reuse if so - Otherwise fork from upstream
sourceUrl(fromcatalog/apps.yaml) - Return
fullName,htmlUrl, anddefaultBranchas Pulumi outputs - Vercel project links to the forked repo via
gitRepository
What was removed
These earlier approaches are no longer used:
| Approach | Status |
|---|---|
GITHUB_FORK_PAT + service-account org invite | Removed (v1 web wizard) |
Operator-supplied GITHUB_TOKEN PAT | Removed |
| GitHub OAuth user token for forking | Removed |
Upstream sources
| App slug | Upstream repo |
|---|---|
docs | prisma-collective/docs-secret |
timelining | prisma-collective/timelining |
enacting | prisma-collective/enact |
registering | prisma-collective/enrol |
evaluating | prisma-collective/evaluate |
Security notes
- Installation metadata is stored in
.propagate/credentials.json(gitignored) credentialRefis required to mint tokens — arbitrary callers cannot request tokens with only an installation ID- The GitHub App private key lives on the hosted auth server, not in the CLI
- Pulumi stack config can encrypt secrets for remote backends
Vercel linkage
After fork, VercelDeploy creates a Vercel project named {deployment.slug}-{appSlug}, links it to {targetOrg}/{forkName}, injects resolved env vars, assigns the nested domain, and triggers a production deployment on main.
The target org must also have the Vercel GitHub App installed for git-linked deploys to succeed.