Native/CLI agent that authenticates via the Device Authorization Grant (RFC 8628), then uses Vouch's credential brokering API to obtain a GitHub installation token. Optionally clones a private repository using the brokered token.
No client secret is needed. The user authenticates by visiting a URL in their browser and entering a code.
- Device auth flow -- The agent requests a device code from Vouch and displays a verification URL and user code. The user signs in via their browser.
- GitHub token -- After authentication, the agent calls Vouch's
/v1/credentials/github/tokenendpoint with the access token to get a scoped GitHub installation token. - Clone (optional) -- If
GITHUB_REPOis set, the agent clones the repository using the brokered token.
| Variable | Required | Description |
|---|---|---|
VOUCH_ISSUER |
No | OIDC issuer URL (default: https://us.vouch.sh) |
VOUCH_CLIENT_ID |
Yes | The public client ID |
GITHUB_OWNER |
No | GitHub organization or user to scope the token to |
GITHUB_REPOSITORIES |
No | Comma-separated list of repository names to scope the token to |
GITHUB_REPO |
No | Repository name to clone after obtaining the token |
docker build -t vouch-python-agent-github .
docker run -it \
-e VOUCH_ISSUER=https://us.vouch.sh \
-e VOUCH_CLIENT_ID=your-client-id \
-e GITHUB_OWNER=your-org \
vouch-python-agent-githubTo clone a private repository:
docker run -it \
-e VOUCH_ISSUER=https://us.vouch.sh \
-e VOUCH_CLIENT_ID=your-client-id \
-e GITHUB_OWNER=your-org \
-e GITHUB_REPO=your-private-repo \
vouch-python-agent-github