Skip to main content
Sentrail integrates with GitHub in two directions:
  1. Outbound proxy — agent calls go through gateway-proxy/github/* instead of api.github.com directly
  2. Inbound webhooks — GitHub pushes events to Sentrail, which evaluates them against your policies

OAuth setup

Go to Tools → GitHub → Connect. Sentrail redirects to GitHub OAuth. After authorization, the access token is stored server-side in tool_connections.config.access_token and never returned to the frontend. The OAuth callback URL is: 
https://<project-ref>.supabase.co/functions/v1/github-oauth-callback

Webhook configuration

After connecting, configure a webhook in your GitHub repository or organization:
FieldValue
Payload URLhttps://<project-ref>.supabase.co/functions/v1/webhook-github
Content typeapplication/json
SecretCopy from Sentrail → Tools → GitHub → Webhook Secret
EventsSelect the events you want to evaluate
Sentrail verifies every webhook using HMAC-SHA256. The signature is in the X-Hub-Signature-256 header. Requests with invalid signatures are rejected with 401.

Workspace matching

Sentrail matches incoming webhooks to workspaces by comparing the repository full_name or organization login to the values stored in tool_connections.config:
  • config.repos: array of "owner/repo" strings
  • config.org: organization login string
Webhooks that don’t match any workspace are recorded in webhook_events with workspace_id = null and processed = false.

Supported proxy actions

These action strings are classified by the policy engine based on the HTTP method and path:
Method + Path patternAction stringRisk level
GET /repos/**readlow
POST /repos/:owner/:repo/issuesissues.createmedium
PATCH /repos/:owner/:repo/issues/:idissues.updatemedium
POST /repos/:owner/:repo/issues/:id/commentsissues.comment.createmedium
POST /repos/:owner/:repo/pullspull_request.createhigh
PATCH /repos/:owner/:repo/pulls/:idpull_request.updatemedium
PUT /repos/:owner/:repo/pulls/:id/mergepull_request.mergehigh
PUT /repos/:owner/:repo/contents/:pathfile.writehigh
DELETE /repos/:owner/:repo/contents/:pathfile.deletecritical
POST /repos/:owner/:repo/releasesrelease.createhigh
DELETE /repos/:owner/:repo/git/refs/heads/:branchref.deletecritical
POST /repos/:owner/:repo/actions/workflows/:id/dispatchesworkflow.dispatchhigh

Proxy usage

Replace https://api.github.com with the gateway URL and add your tool segment: 
# Direct GitHub API
curl https://api.github.com/repos/owner/repo/issues \
  -H "Authorization: token github_pat_..."

# Through Sentrail
curl https://<project-ref>.supabase.co/functions/v1/gateway-proxy/github/repos/owner/repo/issues \
  -H "Authorization: Bearer agk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "X-Agent-Id: my-agent"
Sentrail uses Authorization: token <access_token> when forwarding to GitHub and sets User-Agent: Sentrail/1.0 and Accept: application/vnd.github.v3+json.

Webhook deduplication

Sentrail deduplicates webhook deliveries using the X-GitHub-Delivery header. If a delivery ID has been seen before, the webhook returns { ok: true, duplicate: true } without re-evaluating.