CDK Github
Manage GitHub resources like repositories, teams, members, integrations and workflows with the AWS CDK as Custom Resources in CloudFormation with cdk-github.
You configure the endpoint, method and parameters documented by @octokit/rest and AWS CloudFormation runs them anytime you create, update (if you changed the custom resource), or delete stacks. When CloudFormation sends a lifecycle event notification, then your custom resource sends the request to the GitHub REST API.

npm install @pepperize/cdk-github
yarn add @pepperize/cdk-github
pip install pepperize.cdk-github
dotnet add package Pepperize.CDK.Github
Contributions of all kinds are welcome :rocket: Check out our contributor's guide.
For a quick start, fork and check out a development environment:
git clone git@github.com:pepperize/cdk-github
cd cdk-github
# install dependencies
# build with projen
yarn build
Getting Started
Creating a GitHub App
Installing GitHub Apps
Create an AWS Secrets Manager secret
"appId": "123456",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nExample==\n-----END RSA PRIVATE KEY-----",
"installationId": "12345678"
Add @pepperize/cdk-github to your project dependencies
yarn add @pepperize/cdk-github
Add your main.ts
const app = new App();
const stack = new Stack(app, "GithubCustomResources");
Just for simplicity, it's up to you how to organize your app :wink:
Import your secret
const secret = secrets_manager.Secret.fromSecretNameV2(stack, "Auth", "cdk-github/github-token");
Configure GitHub App authenticate as an installation
const authOptions = AuthOptions.appAuth(secret);
Add your first GitHub Custom Resource with the AWS CDK
new GithubCustomResource(stack, "GithubRepo", {
onCreate: {
endpoint: "repos",
method: "createInOrg",
parameters: {
org: "pepperize",
name: "cdk-github",
outputPaths: ["id", "full_name"],
physicalResourceId: custom_resources.PhysicalResourceId.fromResponse("full_name"),
ignoreErrorCodesMatching: "name already exists on this account",
authOptions: AuthOptions.appAuth(secret),
Deploy your first GitHub Custom Resource
npx cdk deploy
GitHub App or installation authentication
Configure the AWS SecretsManager Secret with the AuthOptions that will be passed to octokit.auth
. i.e. as an installation:
"appId": "123456",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nExample==\n-----END RSA PRIVATE KEY-----",
"installationId": "12345678"
Lookup the secret in your AWS CDK app:
const secret = secrets_manager.Secret.fromSecretNameV2(stack, "Auth", "cdk-github/github-token");
const authOptions = AuthOptions.appAuth(secret);
The custom resource handler will configure octokit.js with the createAppAuth
const getSecretValueResponse = await SSM.getSecretValue({ SecretId: secret }).promise();
const octokitOptions: OctokitOptions = {
authStrategy: createAppAuth,
auth: (auth = JSON.parse(getSecretValueResponse.SecretString)),
Supported through @octokit/auth-app
Personal Access Token authentication
Just add your PAT to an SSM StringParameter
const parameter = ssm.StringParameter.fromStringParameterName(stack, "Auth", "cdk-github/github-token");
const authOptions = AuthOptions.tokenAuth(parameter);
Supported through @octokit/auth-token
const authOptions = AuthOptions.unauthenticated();
Manage a GitHub Repository - Example

const auth = secrets_manager.Secret.fromSecretNameV2(stack, "Auth", "cdk-github/github-token");
const repo = new GithubCustomResource(stack, "GithubRepo", {
onCreate: {
endpoint: "repos",
method: "createInOrg",
parameters: {
org: "pepperize",
name: "cdk-github",
outputPaths: ["id", "full_name"],
physicalResourceId: custom_resources.PhysicalResourceId.fromResponse("full_name"),
ignoreErrorCodesMatching: "name already exists on this account",
onUpdate: {
endpoint: "repos",
method: "get",
parameters: {
owner: "pepperize",
repo: "cdk-github",
outputPaths: ["id", "full_name"],
physicalResourceId: custom_resources.PhysicalResourceId.fromResponse("full_name"),
onDelete: {
endpoint: "repos",
method: "delete",
parameters: {
owner: "pepperize",
repo: "cdk-github",
outputPaths: [],
authOptions: AuthOptions.appAuth(auth),
Manage GitHub Actions Secrets
Environment Secret
Manages an environment secret. Will fetch the source AWS SecretsManager secret and encrypt it to store in GitHub.
const auth = secrets_manager.Secret.fromSecretNameV2(scope, "Auth", "cdk-github/github-token");
const secret = secrets_manager.Secret.fromSecretNameV2(scope, "Secret", "any-secret/example");
new GithubActionsSecretEnvironment(scope, "GithubRepo", {
repositoryId: "558989134",
environmentName: "production",
secretName: "example",
source: GithubActionsSecret.fromSecretsManager(secret, "some-json-field"),
authOptions: AuthOptions.appAuth(auth),
removalPolicy: RemovalPolicy.DESTROY,
You may retrieve the repository_id
from the GitHub Repository page source's meta tag i.e. <meta name="octolytics-dimension-repository_id" content="558989134">
or from another GithubCustomResource
via getAtt()
See GitHub Developer Guide, API Reference
Organization Secret
Manage an GitHib Actions organization secret. Will fetch the source AWS SecretsManager secret and encrypt it to store in GitHub.
const auth = secrets_manager.Secret.fromSecretNameV2(scope, "Auth", "cdk-github/github-token");
const secret = secrets_manager.Secret.fromSecretNameV2(scope, "Secret", "any-secret/example");
new GithubActionsSecretOrganization(scope, "GithubRepo", {
organizationName: "pepperize",
secretName: "example",
source: GithubActionsSecret.fromSecretsManager(secret, "some-json-field"),
visibility: Visibility.ALL,
authOptions: AuthOptions.appAuth(auth),
removalPolicy: RemovalPolicy.DESTROY,
See GitHub Developer Guide, API Reference
Repository Secret
Manage an GitHib Actions Repository secret. Will fetch the source AWS SecretsManager secret and encrypt it to store in GitHub.
const auth = secrets_manager.Secret.fromSecretNameV2(scope, "Auth", "cdk-github/github-token");
const secret = secrets_manager.Secret.fromSecretNameV2(scope, "Secret", "any-secret/example");
new GithubActionsSecretRepository(scope, "GithubRepo", {
owner: "pepperize",
repositoryName: "cdk-github",
secretName: "example",
source: GithubActionsSecret.fromSecretsManager(secret, "some-json-field"),
authOptions: AuthOptions.appAuth(auth),
removalPolicy: RemovalPolicy.DESTROY,
See GitHub Developer Guide, API Reference