LGTM × GitHub

GitHub has three authentication models for third-party tools: Personal Access Tokens (PATs — act as a user, inherit their permissions), OAuth Apps (act as the user with OAuth-granted scopes), and GitHub Apps (act as the App with per-installation granular permissions).

LGTM uses the GitHub App model exclusively. Why: (1) granular permissions — we request only the 4 we need, can't access anything else. (2) Short-lived installation tokens — 1 hour expiry, no long-lived credentials. (3) Per-repo install scope — you choose which repos LGTM sees. (4) Audit trail — every action LGTM takes is attributed to the App, visible in your org's audit log.

OAuth Apps would inherit the full user scope (everything the user can see), making least-privilege impossible. PATs are similarly broad. GitHub Apps are the only model that fits the security goals of a third-party code review tool.

Contents: read — fetch the diff at PR time, fetch context symbol bodies at review time. No write access; we cannot push code, cannot modify files. Permission grants happen at installation; you see this list before clicking Install.

Pull requests: write — post review comments, set review verdict (approve/request_changes/comment), update existing reviews when re-running. This is the highest-privilege permission we have; it's the minimum needed to post a code review.

Checks: write — write Check Runs that branch protection rules can require. LGTM's verdict can be set as a required check; a failing review then blocks the merge until resolved.

Metadata: read — required by GitHub on every App. Gives basic repo info (name, visibility, default branch). Cannot be excluded; it's the bootstrap permission.

What we DON'T request: actions:* (no workflow access), secrets:* (no environment secret access), administration:* (no settings modification), members:* (no org member visibility), packages:* (no registry access).

LGTM subscribes to four event types: pull_request (opened/synchronize/reopened/closed/labeled — the PR lifecycle), push (commits to default branch — drives the runtime watchdog for LGTM Security), installation (when LGTM is installed/uninstalled/permissions changed), installation_repositories (when repos are added/removed from an existing installation).

Each delivery from GitHub arrives signed with HMAC-SHA-256 using a shared secret. LGTM verifies the X-Hub-Signature-256 header before processing. Failed verification → 401 + the event is discarded. Successful → enqueued for processing within milliseconds.

Idempotency: GitHub retries failed deliveries up to 3 times. Each retry has the same X-GitHub-Delivery UUID. LGTM dedupes on that UUID in MongoDB — a duplicate delivery is acknowledged with 200 but not reprocessed.

LGTM doesn't store any long-lived credentials for your GitHub. Instead, we hold the App's private key (one key per GitHub App, not per customer) and use it to mint short-lived installation tokens.

Flow per action: (1) Generate a JWT signed with the App's RSA private key. (2) POST /app/installations/{installation_id}/access_tokens with the JWT. (3) GitHub returns a token scoped to that installation's permissions, expiring in 1 hour. (4) LGTM uses that token for the actual operations (fetch diff, post review). (5) Token is cached in worker memory until 55 minutes (5-minute buffer), then refreshed.

The App's private key lives in Fly Secrets. It never touches disk on a customer-facing server, never appears in logs. Compromising LGTM's private key would let an attacker mint installation tokens for all customers — which is why it's stored separately from any other credential and rotated annually.

Install from github.com/apps/lgtm-app/installations/new (or via the 'Install on GitHub' button in LGTM's settings). You choose: all repos OR specific repos. You can change this later.

After install, LGTM picks up webhook deliveries automatically. First action: index your repos if you've enabled context indexing. Subsequent: review every PR opened against an enrolled repo.

Revoke: github.com/settings/installations → LGTM → Uninstall. GitHub revokes our installation token immediately. Within 24h, LGTM hard-deletes any data we held about your installation (encrypted BYOK keys, review history, settings). Webhooks stop firing instantly.

Partial revocation: instead of uninstalling, you can change which repos LGTM accesses. Settings on github.com → LGTM → Configure → switch to 'Selected repositories' → pick which ones stay. LGTM webhook deliveries for the removed repos stop immediately.