Installation

This page details how to install Port's GitHub integration (powered by the Ocean framework).

This page helps you choose an authentication method and then deploy the integration using the installation method that fits your setup.

Migrating from the old GitHub app?

If you are migrating from the old GitHub app integration, disable the "Create default resources" toggle in the Advanced Configuration section before clicking Connect. If you want to install Github ocean as self-hosted, specify the createPortResourcesOrigin: Empty option in your values file.

Leaving this toggle enabled will create new default blueprints and mappings that may conflict with your existing data. See the migration guide for detailed instructions.

Prerequisites

• A GitHub account with permissions to create access tokens.
• Your Port user role is set to Admin.

Choose authentication method

GitHub App (via Port)

You can create and install a GitHub App directly from Port’s UI using OAuth. This is the recommended approach as it streamlines the entire setup process.

Hosted by Port only

The GitHub App (via Port) setup is available only as a Hosted by Port installation.

Hosted by Port means Port runs and manages the integration for you (no Kubernetes/Docker/CI deployment on your side).

Live event support

This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.

Supported live event triggers (Click to expand)

repository:

• created
• edited
• renamed
• transferred
• unarchived
• publicized
• privatized
• archived
• deleted

pull_request:

• opened
• edited
• ready_for_review
• reopened
• synchronize
• unassigned
• review_request_removed
• closed

issues:

• assigned
• closed
• demilestoned
• edited
• labeled
• locked
• milestoned
• opened
• pinned
• reopened
• transferred
• typed
• unassigned
• unlabeled
• unlocked
• unpinned
• untyped
• deleted

release:

• created
• edited
• deleted

create

delete

push

deployment

deployment_status

workflow_run:

• in_progress
• requested
• completed

dependabot_alert:

• created
• reopened
• auto_reopened
• reintroduced
• dismissed
• auto_dismissed
• fixed

code_scanning_alert:

• appeared_in_branch
• reopened
• created
• fixed
• closed_by_user

organization:

• member_added
• member_removed

team:

• created
• edited
• deleted
• added_to_repository

membership:

• added
• removed

member:

• added
• edited
• removed

secret_scanning_alert:

• created
• publicly_leaked
• reopened
• validated
• resolved

Self-hosted installation

Alternatively, you can install the integration using any of the self-hosted installation methods to update Port in real time using webhooks.

For self-hosted live events, use either Custom GitHub App or Personal access token (PAT).

This installation option means that the integration will be hosted and managed by Port.

1. Go to the Data sources page of your portal.
2. Click on the + Data source button in the top-right corner.
3. Click on Github in the list.
4. Under Select your installation method, choose Hosted by Port.
5. Click Connect to start the setup wizard.

Redirect step (important)

During the wizard, you will be redirected to your provider to authorize Port and approve the requested permissions.

On GitHub, you will be prompted to complete an authorization flow to approve the requested permissions and install the app.

1. Select the organization/account to install the app on.

   

2. Confirm the GitHub app name (or edit it).

   

3. Authorize the GitHub app on the organization/account.

   

4. Choose repository access: All repositories or Only select repositories.

   

5. Install the app.

   

Personal access token (PAT)

A Personal Access Token (PAT) is suitable if you are the only one managing the integration and you do not need frequent credential rotation.

PAT authentication support

The GitHub integration supports authenticating with both fine-grained and classic PATs. If you need multi-organization support (v3.0.0-beta+), use a classic PAT (fine-grained PATs do not support multi-org).

To create a PAT, see GitHub’s managing your personal access tokens.

The token must belong to a user with access to the relevant GitHub resources (e.g., repositories, teams) across all organizations you want to sync.

You will use this token as the githubToken parameter when deploying the integration below.

Required permissions (click to expand)

This section focuses on the permissions you need to grant (fine-grained PAT vs classic PAT).

Fine-grained PAT

To configure permissions for a fine-grained PAT:

• Choose the resource owner (organization/user).

  

• Under Repository access, choose All repositories or Only select repositories (and select the relevant repositories).

• Repositories permissions:

  • Actions: Read-only.
  • Administration: Read-only (for syncing repository teams and collaborators).
  • Code scanning alerts: Read-only.
  • Contents: Read-only (for reading files).
  • Dependabot alerts: Read-only.
  • Deployments: Read-only.
  • Environments: Read-only.
  • Issues: Read-only.
  • Metadata: Read-only.
  • Pull requests: Read-only.
  • Secret scanning alerts: Read-only.
  • Webhooks: Read and write (personal accounts only — required to create repository webhooks).

• Organization permissions (when the resource owner is an organization):

  • Members: Read-only (for syncing users and teams).
  • Administration: Read-only (for syncing external identities).
  • Webhooks: Read and write (organizations only — required to create organization webhooks).

• Account permissions (when the resource owner is a personal account): to grant the permissions below.

  • Email addresses: Read-only (only if you want to ingest user email addresses).

Classic PAT

Select the following scopes for classic PAT:

• repo
• repo_deployment
• public_repo
• security_events
• workflow
• read:org
• admin:repo_hook (required if you intend syncing a personal account — used to create repository webhooks).
• admin:org_hook
• read:user
• user:email

Choose the installation method that best suits your needs:

Hosted by Port

Using this installation option means that the integration will be hosted by Port, with a customizable resync interval to ingest data into Port.

Live event support

This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.

Supported live event triggers (click to expand)

repository:

• created
• edited
• renamed
• transferred
• unarchived
• publicized
• privatized
• archived
• deleted

pull_request:

• opened
• edited
• ready_for_review
• reopened
• synchronize
• unassigned
• review_request_removed
• closed

issues:

• assigned
• closed
• demilestoned
• edited
• labeled
• locked
• milestoned
• opened
• pinned
• reopened
• transferred
• typed
• unassigned
• unlabeled
• unlocked
• unpinned
• untyped
• deleted

release:

• created
• edited
• deleted

create

delete

push

deployment

deployment_status

workflow_run:

• in_progress
• requested
• completed

dependabot_alert:

• created
• reopened
• auto_reopened
• reintroduced
• dismissed
• auto_dismissed
• fixed

code_scanning_alert:

• appeared_in_branch
• reopened
• created
• fixed
• closed_by_user

organization:

• member_added
• member_removed

team:

• created
• edited
• deleted
• added_to_repository

membership:

• added
• removed

member:

• added
• edited
• removed

secret_scanning_alert:

• created
• publicly_leaked
• reopened
• validated
• resolved

Installation

To install, follow these steps:

1. Go to the Data sources page of your portal.

2. Click on the + Data source button in the top-right corner.

3. Click on Github in the list.

4. Under Select your installation method, choose Hosted by Port.

5. Toggle on Use Custom Settings and Configure the integration settings and application settings as you wish (see below for details).

Application settings

Every integration hosted by Port has the following customizable application settings, which are configurable after installation:

• Resync interval: The frequency at which Port will ingest data from the integration. There are various options available, ranging from every 1 hour to once a day. If a sync is still in progress when the next one is due, the new sync will be skipped (up to 24 hours delay).
  This ensures that all kinds are fully synchronized and that cleanup of stale entities always takes place at the end of each sync.

• Send raw data examples: A boolean toggle (enabled by default). If enabled, raw data examples will be sent from the integration to Port. These examples are used when testing your mapping configuration, they allow you to run your jq expressions against real data and see the results.

Integration settings

Every integration has its own tool-specific settings, under the Integration settings section.
Each of these settings has an ⓘ icon next to it, which you can hover over to see a description of the setting.

Port secrets

Some integration settings require sensitive pieces of data, such as tokens.
For these settings, Port secrets will be used, ensuring that your sensitive data is encrypted and secure.

When filling in such a setting, its value will be obscured (shown as ••••••••).
For each such setting, Port will automatically create a secret in your organization.

To see all secrets in your organization, follow these steps.

Limitations

• The maximum time for a full sync to run is based on the configured resync interval. For very large amounts of data where a resync operation is expected to take longer, please use a longer interval.

Port source IP addresses

When using this installation method, Port will make outbound calls to your 3rd-party applications from static IP addresses.
You may need to add these addresses to your allowlist, in order to allow Port to interact with the integrated service:

Europe (EU)

54.73.167.226  
63.33.143.237  
54.76.185.219

United States (US)

3.234.37.33  
54.225.172.136  
3.225.234.99

Kubernetes

Using this installation option means that the integration will be able to update Port in real time using webhooks.

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

Prerequisites

To install the integration, you need a Kubernetes cluster that the integration's container chart will be deployed to.

Please make sure that you have kubectl and helm installed on your machine, and that your kubectl CLI is connected to the Kubernetes cluster where you plan to install the integration.

Troubleshooting

If you are having trouble installing this integration, please refer to these troubleshooting steps.

For details about the available parameters for the installation, see the table below.

Helm

To install the integration using Helm:

Add Port's Helm chart repository:

helm repo add --force-update port-labs https://port-labs.github.io/helm-charts

Install the Helm chart:

1. Create a values.yaml file with the following content:

values.yaml

port:
  clientId: "<PORT_CLIENT_ID>"
  clientSecret: "<PORT_CLIENT_SECRET>"
  baseUrl: "https://api.port.io"

integration:
  identifier: "github-ocean"
  type: "github-ocean"
  eventListener:
    type: "POLLING"
  config:
    githubOrganization: "<GITHUB_ORGANIZATION>"
    githubHost: "<GITHUB_HOST>" # e.g https://api.github.com
  secrets:
    githubToken: "<GITHUB_PAT>"

# uncomment to enable live events
# liveEvents:
#  baseUrl: "<your-domain>"

initializePortResources: true
sendRawDataExamples: true
scheduledResyncInterval: 360
      

2. Install the Helm chart using the values.yaml file:

helm upgrade --install github-ocean port-labs/port-ocean -f values.yaml

See all available helm options

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

ArgoCD

To install the integration using ArgoCD:

1. Create a values.yaml file in argocd/my-ocean-github-integration in your git repository with the content:

Placeholder replacement required

Be sure to replace the <GITHUB_TOKEN> and <GITHUB_ORGANIZATION> placeholders with your actual values. If you are using a self-hosted GitHub instance, update the githubHost value to point to your instance.

For multi-organization support, use a classic PAT token and specify multiple organizations in the port mapping

deleteDependentEntities: true
createMissingRelatedEntities: true
enableMergeEntity: true
organizations:
  - org1
  - org2
# ... rest of your mapping (repositoryType, resources, etc.) ...

initializePortResources: true
scheduledResyncInterval: 120
integration:
  identifier: my-ocean-github-integration
  type: github-ocean
  eventListener:
    type: POLLING
  config:
    githubHost: https://api.github.com # Or your self-hosted GitHub URL
    githubOrganization: "<GITHUB_ORGANIZATION>" # your github organization, e.g port-labs
  secrets:
    githubToken: "<GITHUB_TOKEN>"

# uncomment to enable live events
# liveEvents:
#  baseUrl: "<your-domain>"

2. Install the my-ocean-github-integration ArgoCD Application by creating the following my-ocean-github-integration.yaml manifest:

note

Remember to replace the placeholders for YOUR_PORT_CLIENT_ID YOUR_PORT_CLIENT_SECRET and YOUR_GIT_REPO_URL.

Multiple sources ArgoCD documentation can be found here.

ArgoCD Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-ocean-github-integration
  namespace: argocd
spec:
  destination:
    namespace: my-ocean-github-integration
    server: https://kubernetes.default.svc
  project: default
  sources:
  - repoURL: 'https://port-labs.github.io/helm-charts/'
    chart: port-ocean
    targetRevision: 0.9.5
    helm:
      valueFiles:
      - $values/argocd/my-ocean-github-integration/values.yaml
      parameters:
        - name: port.clientId
          value: <YOUR_PORT_CLIENT_ID>
        - name: port.clientSecret
          value: <YOUR_PORT_CLIENT_SECRET>
        - name: port.baseUrl
          value: https://api.getport.io
  - repoURL: <YOUR_GIT_REPO_URL>
    targetRevision: main
    ref: values
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

3. Apply your application manifest with kubectl:

kubectl apply -f my-ocean-github-integration.yaml

Enabling live-events

Live events

The liveEvents.baseUrl parameter is used specifically to enable the real-time functionality of the integration. For debugging, services like Ngrok can provide a temporary public URL. For production, a stable and publicly accessible host is required.

If it is not provided, the integration will continue to function correctly. In such a configuration, to retrieve the latest information from the target system, the scheduledResyncInterval parameter has to be set, or a manual resync will need to be triggered through Port's UI.

This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.

The liveEvents.baseUrl specifies the public-facing URL for your integration. This URL, which must be reachable from the internet, is used to receive real-time updates from Github. It can be a public IP address or a configured domain name (e.g., https://mygithubintegration.com).

Supported live event triggers

repository:

• created
• edited
• renamed
• transferred
• unarchived
• publicized
• privatized
• archived
• deleted

pull_request:

• opened
• edited
• ready_for_review
• reopened
• synchronize
• unassigned
• review_request_removed
• closed

issues:

• assigned
• closed
• demilestoned
• edited
• labeled
• locked
• milestoned
• opened
• pinned
• reopened
• transferred
• typed
• unassigned
• unlabeled
• unlocked
• unpinned
• untyped
• deleted

release:

• created
• edited
• deleted

create

delete

push

deployment

deployment_status

workflow_run:

• in_progress
• requested
• completed

dependabot_alert:

• created
• reopened
• auto_reopened
• reintroduced
• dismissed
• auto_dismissed
• fixed

code_scanning_alert:

• appeared_in_branch
• reopened
• created
• fixed
• closed_by_user

organization:

• member_added
• member_removed

team:

• created
• edited
• deleted
• added_to_repository

membership:

• added
• removed

member:

• added
• edited
• removed

secret_scanning_alert:

• created
• publicly_leaked
• reopened
• validated
• resolved

This table summarizes the available parameters for the installation.

Parameter	Description	Required
port.clientId	Your Port client ID.	✅
port.clientSecret	Your Port client secret.	✅
port.baseUrl	Your Port API URL (https://api.getport.io for EU, https://api.us.getport.io for US).	✅
integration.identifier	A unique identifier for your integration.	✅
integration.type	The integration type.	✅
integration.eventListener.type	The event listener type.	✅
integration.config.githubOrganization	The GitHub organization to sync. Required when you use a single-organization setup, and not required when you use multi-organization support.	⚠️
integration.config.githubHost	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.	❌
integration.secrets.githubToken	A GitHub Personal Access Token (PAT) to authenticate with GitHub.	✅
scheduledResyncInterval	The number of minutes between each resync.	❌
initializePortResources	When true, the integration will create default blueprints and port-app-config.yml mapping.	❌
sendRawDataExamples	When true, sends raw data examples from the third-party API to Port for testing and managing the integration mapping.	❌
liveEvents.baseUrl	The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com). Required if you want to enable live-events or actions processing.	❌
actionsProcessor.enabled	When set to true, the integration will be able to process actions and automations.	❌
integration.config.webhookSecret	A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events.	❌

Advanced integration configuration

For advanced configuration such as proxies or self-signed certificates, click here.

All Ocean integrations expose a health check endpoint at /docs that you can use to verify the integration is running and access its API documentation.

Docker

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

Our integration can be directly run as a docker container, it can be deployed on any platform that allows deploying images as containers such as: K8S, ECS, AWS App Runner, etc.

You can pull the Docker image by running:

docker pull ghcr.io/port-labs/port-ocean-github-ocean:latest

Run the following command to start the app:

docker run \
-e OCEAN__PORT__CLIENT_ID="<PORT_CLIENT_ID>" \
-e OCEAN__PORT__CLIENT_SECRET="<PORT_CLIENT_SECRET>" \
-e OCEAN__PORT__BASE_URL="https://api.getport.io" \
-e OCEAN__BASE_URL="<https.example.com>" \ #optional, only required if you want to enable live-events or actions processing
-e OCEAN__ACTIONS_PROCESSOR__ENABLED=true \ #optional, only required if you want to enable actions processing
-e OCEAN__EVENT_LISTENER__TYPE="POLLING" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST="<GITHUB_HOST>" \ # e.g https://api.github.com
-e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION="<GITHUB_ORGANIZATION>" \
-e OCEAN__INTEGRATION__IDENTIFIER="github-ocean" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN="<GITHUB_TOKEN>" \ 
-p 8000:8000 \
ghcr.io/port-labs/port-ocean-github-ocean:latest

Docker parameters

The command above contains placeholder values in angle brackets (e.g., <PORT_CLIENT_ID>). Be sure to replace them with your actual values before running the command.

Env variable	Description	Required
OCEAN__PORT__CLIENT_ID	Port client id for interacting with the API	✅
OCEAN__PORT__CLIENT_SECRET	Port client secret for interacting with the API	✅
OCEAN__PORT__BASE_URL	Port's API Base URL	✅
OCEAN__BASE_URL	The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com).	❌
OCEAN__ACTIONS_PROCESSOR__ENABLED	when set to true, the integration will be able to process actions and automations	❌
OCEAN__INTEGRATION__CONFIG__WEBHOOK_SECRET	A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events.	❌
OCEAN__EVENT_LISTENER__TYPE	Define the appropriate event listener type to handle incoming events and resync requests from Port. This listener will forward the events to the GitHub Ocean integration. For more details, see the Port Event Listener documentation	✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.	❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	Single GitHub organization name to sync data from a single organization. Required for single-org authentication.	❌
OCEAN__INTEGRATION__IDENTIFIER	A unique identifier for the integration instance. Useful if you are running multiple self-hosted GitHub integrations. Defaults to github-ocean.	✅
OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN	Github PAT.	✅

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

CI

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

This workflow/pipeline will run the GitHub integration once and then exit. This is useful for scheduled ingestion of data.

Use a Personal Access Token in your CI secret store.

GitHub

Make sure to configure the following GitHub secrets:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN	A GitHub Personal Access Token (PAT) to authenticate with GitHub. Use a classic PAT for multi-organization support (v3.0.0-beta+).		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync. Required for single-organization setups, and not required for multi-organization support.		❌
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a github-integration.yml workflow file:

name: Github Exporter Workflow
on:
workflow_dispatch:
schedule:
  - cron: "0 */1 * * *" # Determines the scheduled interval for this workflow. This example runs every hour.
jobs:
run-integration:
  runs-on: ubuntu-latest
  timeout-minutes: 30 # Set a time limit for the job
  steps:
    - uses: port-labs/ocean-sail@v1
      with:
        type: "github-ocean"
        port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
        port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
        port_base_url: https://api.getport.io
        config: |
          githubHost: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_HOST }}
          githubToken: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN }}
          githubOrganization: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION }}

Jenkins

Docker requirement

Your Jenkins agent should be able to run Docker commands.

Make sure to configure the following Jenkins credentials of Secret Text type:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN	A GitHub Personal Access Token (PAT) to authenticate with GitHub. Use a classic PAT for multi-organization support (v3.0.0-beta+).		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync. Required for single-organization setups, and not required for multi-organization support.		❌
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a Jenkinsfile groovy pipeline file:

pipeline {
  agent any
  stages {
      stage('Run Github Integration') {
          steps {
              script {
                  withCredentials([
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_HOST', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_HOST'),
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION'),
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN'),
                      string(credentialsId: 'OCEAN__PORT__CLIENT_ID', variable: 'OCEAN__PORT__CLIENT_ID'),
                      string(credentialsId: 'OCEAN__PORT__CLIENT_SECRET', variable: 'OCEAN__PORT__CLIENT_SECRET'),
                  ]) {
                      sh('''
                          #Set Docker image and run the container
                          integration_type="github-ocean"
                          version="1.2.0-beta"
                          image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"
                          docker run -i --rm --platform=linux/amd64 \
                              -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
                              -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
                              -e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$OCEAN__INTEGRATION__CONFIG__GITHUB_HOST \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN=$OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION \
                              -e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
                              -e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
                              -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
                              $image_name
                          exit $?
                      ''')
                  }
              }
          }
      }
  }
}

Azure DevOps

Make sure to configure the following Azure DevOps pipeline variables:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN	A GitHub Personal Access Token (PAT) to authenticate with GitHub. Use a classic PAT for multi-organization support (v3.0.0-beta+).		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync. Required for single-organization setups, and not required for multi-organization support.		❌
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for an Azure pipeline file:

trigger:
- main
pool:
vmImage: "ubuntu-latest"
variables:
- group: port-ocean-credentials
steps:
- script: |
    # Set Docker image and run the container
    integration_type="github-ocean"
    version="1.2.0-beta"
    image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"

    docker run -i --rm --platform=linux/amd64 \
        -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
        -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
        -e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$(OCEAN__INTEGRATION__CONFIG__GITHUB_HOST) \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN=$(OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN) \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$(OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION) \
        -e OCEAN__PORT__CLIENT_ID=$(OCEAN__PORT__CLIENT_ID) \
        -e OCEAN__PORT__CLIENT_SECRET=$(OCEAN__PORT__CLIENT_SECRET) \
        -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
        $image_name
    exit $?
  displayName: "Ingest Data into Port"

GitLab

Make sure to configure the following GitLab variables:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN	A GitHub Personal Access Token (PAT) to authenticate with GitHub. Use a classic PAT for multi-organization support (v3.0.0-beta+).		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync. Required for single-organization setups, and not required for multi-organization support.		❌
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a .gitlab-ci.yml pipeline file:

default:
image: docker:24.0.5
services:
  - docker:24.0.5-dind
before_script:
  - docker info

variables:
INTEGRATION_TYPE: github-ocean
VERSION: 1.2.0-beta
stages:
- ingest
ingest_data:
stage: ingest
variables:
  IMAGE_NAME: ghcr.io/port-labs/port-ocean-$INTEGRATION_TYPE:$VERSION
script:
  - |
    docker run -i --rm --platform=linux/amd64 \
      -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
      -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
      -e OCEAN__SEND_RAW_DATA_EXAMPLES=true  \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$OCEAN__INTEGRATION__CONFIG__GITHUB_HOST \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN=$OCEAN__INTEGRATION__CONFIG__GITHUB_TOKEN \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION \
      -e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
      -e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
      -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
      $IMAGE_NAME
rules: # Run only when changes are made to the main branch
  - if: '$CI_COMMIT_BRANCH == "main"'
schedule: # Run according to a schedule
  - cron: "0 */3 * * *" # Run every 3 hours

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

Advanced integration configuration

For advanced configuration such as proxies or self-signed certificates, click here.

All Ocean integrations expose a health check endpoint at /docs that you can use to verify the integration is running and access its API documentation.

Multi GitHub organization support

Starting from version 3.0.0-beta, the GitHub integration supports syncing data from multiple GitHub organizations when you use a classic PAT.

• Supported authentication method: Multi-organization support is available only when you authenticate using a classic PAT. Multi-organization syncing is not supported when authenticating via a GitHub App (including GitHub App (via Port) / self-hosted setups).
• Multi-organization setup: Set organizations: ["org1", "org2", "org3"] in your mapping.
• All organizations setup: If organizations is not specified, the integration syncs all organizations the classic PAT has access to.

Multi-organization mapping example (click to expand)

deleteDependentEntities: true
createMissingRelatedEntities: true
enableMergeEntity: true
organizations:
  - org1
  - org2
# ... rest of your mapping (repositoryType, resources, etc.) ...

Precedence:

If githubOrganization is set in the environment variables or config and organizations are also listed in the Port mapping, the integration prioritizes single-organization behavior and syncs only the githubOrganization.

Performance considerations:

Syncing multiple organizations increases the number of API calls to GitHub and may slow down the integration. The more organizations you sync, the longer the resync time and the higher the API rate limit consumption.

Custom GitHub App

Use this option if you want GitHub App authentication but you prefer to create and install your own GitHub App (for example, for advanced setups or self-hosted deployments).

Prerequisites

• A GitHub account with permissions to create and manage GitHub Apps in your organization. This typically requires being an Organization Owner or having the App Manager role.
• Your Port user role is set to Admin.

Create a GitHub App

1. Navigate to your GitHub organization and click on Settings.

2. Inside the settings view, click on Developer Settings and then select GitHub Apps.

3. Click New GitHub App.

4. Configure the GitHub App with the following values:

• GitHub App name: Choose a unique name for the app. Note that GitHub App names must be globally unique.
• Homepage URL: https://port.io.
• Callback URL: Leave this empty.
• Setup URL: Leave this empty.
• Uncheck Active under Webhooks. The integration will automatically create the webhook if you configure the OCEAN__BASE_URL variable later during deployment.
• Repository permissions:
  • Actions: Read-only (for syncing workflows).
  • Checks: Read-only (for syncing Port.yml).
  • Contents: Read-only (for reading port configuration files and repository files).
  • Metadata: Read-only.
  • Administration: Read-only (for syncing collaborators).
  • Pull requests: Read-only.
  • Code scanning alerts: Read-only.
  • Dependabot alerts: Read-only.
  • Deployments: Read-only.
  • Environments: Read-only.
• Organization permissions:
  • Members: Read-only (for syncing members and teams).
  • Administration: Read-only (for syncing external identities).
  • Webhooks: Read and write (to allow the integration to create webhooks).

Then select Create GitHub App.

5. Go to the Private keys section at the bottom of the app’s General settings page and generate a private key.

Keep the file, you will need it for the deployment step.

Install the GitHub App

After you have the app registered in your organization, install it and select the repositories to integrate it with:

1. Navigate to your GitHub organization and click on Settings.

2. Inside the settings view, click on Developer Settings and then select GitHub Apps.

3. Click Edit on the GitHub App you created.

4. Go to Install App and select the installation button on the organization.

5. Choose the repositories you want the integration to be installed for.

Choose the installation method that best suits your needs:

Kubernetes

Using this installation option means that the integration will be able to update Port in real time using webhooks.

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

Prerequisites

To install the integration, you need a Kubernetes cluster that the integration's container chart will be deployed to.

Please make sure that you have kubectl and helm installed on your machine, and that your kubectl CLI is connected to the Kubernetes cluster where you plan to install the integration.

Troubleshooting

If you are having trouble installing this integration, please refer to these troubleshooting steps.

For details about the available parameters for the installation, see the table below.

Helm

To install the integration using Helm:

Add Port's Helm chart repository:

helm repo add --force-update port-labs https://port-labs.github.io/helm-charts

Install the Helm chart:

1. Create a values.yaml file with the following content:

values.yaml

port:
  clientId: "<PORT_CLIENT_ID>"
  clientSecret: "<PORT_CLIENT_SECRET>"
  baseUrl: "https://api.port.io"

integration:
  identifier: "github-ocean"
  type: "github-ocean"
  eventListener:
    type: "POLLING"
  config:
    githubOrganization: "<GITHUB_ORGANIZATION>"
    githubHost: "<GITHUB_HOST>" # e.g https://api.github.com
    githubAppId: "<GITHUB_APP_ID>" # app client id also works
  secrets:
    githubAppPrivateKey: "<BASE_64_ENCODED_PRIVATEKEY>"

# uncomment to enable live events or to support actions processing
# liveEvents:
#   baseUrl: "<your-domain>"

# uncomment to enable actions processing
# actionsProcessor:
#   enabled: true

initializePortResources: true
sendRawDataExamples: true
scheduledResyncInterval: 360

2. Install the Helm chart using the values.yaml file:

helm upgrade --install github-ocean port-labs/port-ocean -f values.yaml

See all available helm options

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

ArgoCD

To install the integration using ArgoCD:

1. Create a values.yaml file in argocd/my-ocean-github-integration in your git repository with the content:

Placeholder replacement required

Be sure to replace the <GITHUB_TOKEN> and <GITHUB_ORGANIZATION> placeholders with your actual values. If you are using a self-hosted GitHub instance, update the githubHost value to point to your instance.

For multi-organization support, use a classic PAT token and specify multiple organizations in the port mapping

deleteDependentEntities: true
createMissingRelatedEntities: true
enableMergeEntity: true
organizations:
  - org1
  - org2
# ... rest of your mapping (repositoryType, resources, etc.) ...

initializePortResources: true
scheduledResyncInterval: 120
integration:
  identifier: my-ocean-github-integration
  type: github-ocean
  eventListener:
    type: POLLING
  config:
    githubHost: https://api.github.com # Or your self-hosted GitHub URL
    githubOrganization: "<GITHUB_ORGANIZATION>" # your github organization, e.g port-labs
  secrets:
    githubToken: "<GITHUB_TOKEN>"

# uncomment to enable live events
# liveEvents:
#  baseUrl: "<your-domain>"

2. Install the my-ocean-github-integration ArgoCD Application by creating the following my-ocean-github-integration.yaml manifest:

note

Remember to replace the placeholders for YOUR_PORT_CLIENT_ID YOUR_PORT_CLIENT_SECRET and YOUR_GIT_REPO_URL.

Multiple sources ArgoCD documentation can be found here.

ArgoCD Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-ocean-github-integration
  namespace: argocd
spec:
  destination:
    namespace: my-ocean-github-integration
    server: https://kubernetes.default.svc
  project: default
  sources:
  - repoURL: 'https://port-labs.github.io/helm-charts/'
    chart: port-ocean
    targetRevision: 0.9.5
    helm:
      valueFiles:
      - $values/argocd/my-ocean-github-integration/values.yaml
      parameters:
        - name: port.clientId
          value: <YOUR_PORT_CLIENT_ID>
        - name: port.clientSecret
          value: <YOUR_PORT_CLIENT_SECRET>
        - name: port.baseUrl
          value: https://api.getport.io
  - repoURL: <YOUR_GIT_REPO_URL>
    targetRevision: main
    ref: values
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

3. Apply your application manifest with kubectl:

kubectl apply -f my-ocean-github-integration.yaml

base64 encoding

On MacOS and Linux you can get base64 encoded private key by using:

base64 -i <path/to/downloaded/private_key.pem>

You can accomplish the same on Windows using Powershell:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("path\to\downloaded\private_key.pem"))

Online: https://www.base64encode.org/

Enabling live-events

Live events

The liveEvents.baseUrl parameter is used specifically to enable the real-time functionality of the integration. For debugging, services like Ngrok can provide a temporary public URL. For production, a stable and publicly accessible host is required.

If it is not provided, the integration will continue to function correctly. In such a configuration, to retrieve the latest information from the target system, the scheduledResyncInterval parameter has to be set, or a manual resync will need to be triggered through Port's UI.

This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.

The liveEvents.baseUrl specifies the public-facing URL for your integration. This URL, which must be reachable from the internet, is used to receive real-time updates from Github. It can be a public IP address or a configured domain name (e.g., https://mygithubintegration.com).

Supported live event triggers

repository:

• created
• edited
• renamed
• transferred
• unarchived
• publicized
• privatized
• archived
• deleted

pull_request:

• opened
• edited
• ready_for_review
• reopened
• synchronize
• unassigned
• review_request_removed
• closed

issues:

• assigned
• closed
• demilestoned
• edited
• labeled
• locked
• milestoned
• opened
• pinned
• reopened
• transferred
• typed
• unassigned
• unlabeled
• unlocked
• unpinned
• untyped
• deleted

release:

• created
• edited
• deleted

create

delete

push

deployment

deployment_status

workflow_run:

• in_progress
• requested
• completed

dependabot_alert:

• created
• reopened
• auto_reopened
• reintroduced
• dismissed
• auto_dismissed
• fixed

code_scanning_alert:

• appeared_in_branch
• reopened
• created
• fixed
• closed_by_user

organization:

• member_added
• member_removed

team:

• created
• edited
• deleted
• added_to_repository

membership:

• added
• removed

member:

• added
• edited
• removed

secret_scanning_alert:

• created
• publicly_leaked
• reopened
• validated
• resolved

This table summarizes the available parameters for the installation.

Parameter	Description	Required
port.clientId	Your Port client ID.	✅
port.clientSecret	Your Port client secret.	✅
port.baseUrl	Your Port API URL (https://api.getport.io for EU, https://api.us.getport.io for US).	✅
integration.identifier	A unique identifier for your integration.	✅
integration.type	The integration type.	✅
integration.eventListener.type	The event listener type.	✅
integration.config.githubOrganization	The GitHub organization to sync.	✅
integration.config.githubHost	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.	❌
integration.config.githubAppId	The app id or client id of your Custom GitHub App.	✅
integration.secrets.githubAppPrivateKey	The base64 encoded private key of your Custom GitHub App.	✅
scheduledResyncInterval	The number of minutes between each resync.	❌
initializePortResources	When true, the integration will create default blueprints and port-app-config.yml mapping.	❌
sendRawDataExamples	When true, sends raw data examples from the third-party API to Port for testing and managing the integration mapping.	❌
liveEvents.baseUrl	The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com). Required if you want to enable live-events or actions processing.	❌
actionsProcessor.enabled	When set to true, the integration will be able to process actions and automations.	❌
integration.config.webhookSecret	A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events.	❌

Advanced integration configuration

For advanced configuration such as proxies or self-signed certificates, click here.

All Ocean integrations expose a health check endpoint at /docs that you can use to verify the integration is running and access its API documentation.

Docker

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

Our integration can be directly run as a docker container, it can be deployed on any platform that allows deploying images as containers such as: K8S, ECS, AWS App Runner, etc.

You can pull the Docker image by running:

docker pull ghcr.io/port-labs/port-ocean-github-ocean:latest

Run the following command to start the app:

docker run \
-e OCEAN__PORT__CLIENT_ID="<PORT_CLIENT_ID>" \
-e OCEAN__PORT__CLIENT_SECRET="<PORT_CLIENT_SECRET>" \
-e OCEAN__PORT__BASE_URL="https://api.getport.io" \
-e OCEAN__BASE_URL="<https.example.com>" \ #optional, only required if you want to enable live-events or actions processing
-e OCEAN__ACTIONS_PROCESSOR__ENABLED=true \ #optional, only required if you want to enable actions processing
-e OCEAN__EVENT_LISTENER__TYPE="POLLING" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST="<GITHUB_HOST>" \ # e.g https://api.github.com
-e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION="<GITHUB_ORGANIZATION>" \
-e OCEAN__INTEGRATION__IDENTIFIER="github-ocean" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID="<GITHUB_APP_ID>" \ # client id also works
-e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY="<BASE_64_ENCODED_PRIVATEKEY>" \
-p 8000:8000 \
ghcr.io/port-labs/port-ocean-github-ocean:latest

Docker parameters

The command above contains placeholder values in angle brackets (e.g., <PORT_CLIENT_ID>). Be sure to replace them with your actual values before running the command.

base64 encoding

On MacOS and Linux you can get base64 encoded private key by using:

base64 -i <path/to/downloaded/private_key.pem>

You can accomplish the same on Windows using Powershell:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("path\to\downloaded\private_key.pem"))

Online: https://www.base64encode.org/

Env variable	Description	Required
OCEAN__PORT__CLIENT_ID	Port client id for interacting with the API	✅
OCEAN__PORT__CLIENT_SECRET	Port client secret for interacting with the API	✅
OCEAN__PORT__BASE_URL	Port's API Base URL	✅
OCEAN__BASE_URL	The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com).	❌
OCEAN__ACTIONS_PROCESSOR__ENABLED	when set to true, the integration will be able to process actions and automations	❌
OCEAN__INTEGRATION__CONFIG__WEBHOOK_SECRET	A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events.	❌
OCEAN__EVENT_LISTENER__TYPE	Define the appropriate event listener type to handle incoming events and resync requests from Port. This listener will forward the events to the GitHub Ocean integration. For more details, see the Port Event Listener documentation	✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.	❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	Single GitHub organization name to sync data from a single organization. Required for single-org authentication.	❌
OCEAN__INTEGRATION__IDENTIFIER	A unique identifier for the integration instance. Useful if you are running multiple self-hosted GitHub integrations. Defaults to github-ocean.	✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID	App id or client id. You can find it in the edit GitHub app page.	✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY	A base64 encoded Github app private key.	✅

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

CI

Port credentials

If you deploy the integration outside Port, you need your Port CLIENT_ID and CLIENT_SECRET:

To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:

This workflow/pipeline will run the GitHub integration once and then exit. This is useful for scheduled ingestion of data.

Use the Custom GitHub App credentials in your CI secret store.

GitHub

Make sure to configure the following GitHub secrets:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID	The app id or client id of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY	The base64 encoded private key of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync (Custom GitHub App supports single organization only). For setup steps, see the Custom GitHub App tab.		✅
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a github-integration.yml workflow file:

name: Github Exporter Workflow
on:
workflow_dispatch:
schedule:
  - cron: "0 */1 * * *" # Determines the scheduled interval for this workflow. This example runs every hour.
jobs:
run-integration:
  runs-on: ubuntu-latest
  timeout-minutes: 30 # Set a time limit for the job
  steps:
    - uses: port-labs/ocean-sail@v1
      with:
        type: "github-ocean"
        port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
        port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
        port_base_url: https://api.getport.io
        config: |
          githubHost: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_HOST }}
          githubOrganization: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION }}
          githubAppId: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID }}
          githubAppPrivateKey: ${{ secrets.OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY }}

Jenkins

Docker requirement

Your Jenkins agent should be able to run Docker commands.

Make sure to configure the following Jenkins credentials of Secret Text type:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID	The app id or client id of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY	The base64 encoded private key of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync (Custom GitHub App supports single organization only). For setup steps, see the Custom GitHub App tab.		✅
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a Jenkinsfile groovy pipeline file:

pipeline {
  agent any
  stages {
      stage('Run Github Integration') {
          steps {
              script {
                  withCredentials([
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_HOST', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_HOST'),
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION'),
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID'),
                      string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY', variable: 'OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY'),
                      string(credentialsId: 'OCEAN__PORT__CLIENT_ID', variable: 'OCEAN__PORT__CLIENT_ID'),
                      string(credentialsId: 'OCEAN__PORT__CLIENT_SECRET', variable: 'OCEAN__PORT__CLIENT_SECRET'),
                  ]) {
                      sh('''
                          #Set Docker image and run the container
                          integration_type="github-ocean"
                          version="1.2.0-beta"
                          image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"
                          docker run -i --rm --platform=linux/amd64 \
                              -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
                              -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
                              -e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$OCEAN__INTEGRATION__CONFIG__GITHUB_HOST \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID=$OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID \
                              -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY=$OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY \
                              -e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
                              -e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
                              -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
                              $image_name
                          exit $?
                      ''')
                  }
              }
          }
      }
  }
}

Azure DevOps

Make sure to configure the following Azure DevOps pipeline variables:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID	The app id or client id of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY	The base64 encoded private key of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync (Custom GitHub App supports single organization only). For setup steps, see the Custom GitHub App tab.		✅
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for an Azure pipeline file:

trigger:
- main
pool:
vmImage: "ubuntu-latest"
variables:
- group: port-ocean-credentials
steps:
- script: |
    # Set Docker image and run the container
    integration_type="github-ocean"
    image_name="ghcr.io/port-labs/port-ocean-$integration_type:latest"

    docker run -i --rm --platform=linux/amd64 \
        -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
        -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
        -e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$(OCEAN__INTEGRATION__CONFIG__GITHUB_HOST) \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$(OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION) \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID=$(OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID) \
        -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY=$(OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY) \
        -e OCEAN__PORT__CLIENT_ID=$(OCEAN__PORT__CLIENT_ID) \
        -e OCEAN__PORT__CLIENT_SECRET=$(OCEAN__PORT__CLIENT_SECRET) \
        -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
        $image_name
    exit $?
  displayName: "Ingest Data into Port"

GitLab

Make sure to configure the following GitLab variables:

Parameter	Description	Example	Required
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID	The app id or client id of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY	The base64 encoded private key of your Custom GitHub App.		✅
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST	The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided.		❌
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION	The GitHub organization to sync (Custom GitHub App supports single organization only). For setup steps, see the Custom GitHub App tab.		✅
OCEAN__PORT__CLIENT_ID	Your Port client ID (How to get the credentials).		✅
OCEAN__PORT__CLIENT_SECRET	Your Port client secret (How to get the credentials).		✅
OCEAN__PORT__BASE_URL	Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US.		✅
OCEAN__INITIALIZE_PORT_RESOURCES	Default true. When set to true, the integration will create default blueprints and the Port app config mapping.		❌
OCEAN__INTEGRATION__IDENTIFIER	The identifier of the integration that will be installed.		❌

Here is an example for a .gitlab-ci.yml pipeline file:

default:
image: docker:24.0.5
services:
  - docker:24.0.5-dind
before_script:
  - docker info

variables:
INTEGRATION_TYPE: github-ocean
stages:
- ingest
ingest_data:
stage: ingest
variables:
  IMAGE_NAME: ghcr.io/port-labs/port-ocean-$INTEGRATION_TYPE:latest
script:
  - |
    docker run -i --rm --platform=linux/amd64 \
      -e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
      -e OCEAN__INITIALIZE_PORT_RESOURCES=true \
      -e OCEAN__SEND_RAW_DATA_EXAMPLES=true  \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST=$OCEAN__INTEGRATION__CONFIG__GITHUB_HOST \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION=$OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID=$OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID \
      -e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY=$OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY \
      -e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
      -e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
      -e OCEAN__PORT__BASE_URL='https://api.getport.io' \
      $IMAGE_NAME
rules: # Run only when changes are made to the main branch
  - if: '$CI_COMMIT_BRANCH == "main"'
schedule: # Run according to a schedule
  - cron: "0 */3 * * *" # Run every 3 hours

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance of Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

• If you use the EU region of Port (https://app.port.io), your API URL is https://api.port.io.
• If you use the US region of Port (https://app.us.port.io), your API URL is https://api.us.port.io.

Advanced integration configuration

For advanced configuration such as proxies or self-signed certificates, click here.

All Ocean integrations expose a health check endpoint at /docs that you can use to verify the integration is running and access its API documentation.

Configuration

This section describes common configuration options you can use across installation methods.

Repository type

The repositoryType parameter filters which repositories are ingested. It corresponds to the type parameter in GitHub's List organization repositories API.

Possible values (Click to expand)

• all (default): All repositories accessible to the provided token.
• public: Public repositories only.
• private: Private repositories only.
• forks: Forked repositories only.
• sources: Non-forked repositories only.

Default mapping configuration

This is the default mapping configuration for this integration:

Default mapping configuration (Click to expand)

repositoryType: "all"
deleteDependentEntities: true
createMissingRelatedEntities: true
resources:
  - kind: organization
    selector:
      query: "true"
    port:
      entity:
        mappings:
          identifier: .login
          title: .login
          blueprint: '"githubOrganization"'
          properties:
            login: .login
            id: .id
            nodeId: .node_id
            url: .url
            reposUrl: .repos_url
            eventsUrl: .events_url
            hooksUrl: .hooks_url
            issuesUrl: .issues_url
            membersUrl: .members_url
            publicMembersUrl: .public_members_url
            avatarUrl: .avatar_url
            description: if .description then .description else "" end
  - kind: repository
    selector:
      query: "true"
    port:
      entity:
        mappings:
          identifier: .name
          title: .name
          blueprint: '"githubRepository"'
          properties:
            description: if .description then .description else "" end
            visibility: if .private then "private" else "public" end
            defaultBranch: .default_branch
            readme: file://README.md
            url: .html_url
            language: if .language then .language else "" end
          relations:
            organization: .owner.login
  - kind: pull-request
    selector:
      query: "true"
      state: "open"
    port:
      entity:
        mappings:
          identifier: ".head.repo.name + (.id|tostring)"
          title: ".title"
          blueprint: '"githubPullRequest"'
          properties:
            creator: ".user.login"
            assignees: "[.assignees[].login]"
            reviewers: "[.requested_reviewers[].login]"
            status: ".state"
            closedAt: ".closed_at"
            updatedAt: ".updated_at"
            mergedAt: ".merged_at"
            createdAt: ".created_at"
            prNumber: ".id"
            link: ".html_url"
            leadTimeHours: >-
              (.created_at as $createdAt | .merged_at as $mergedAt |
              ($createdAt | sub("\\..*Z$"; "Z") | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime) as $createdTimestamp |
              ($mergedAt | if . == null then null else sub("\\..*Z$"; "Z") |
              strptime("%Y-%m-%dT%H:%M:%SZ") | mktime end) as $mergedTimestamp |
              if $mergedTimestamp == null then null else
              (((($mergedTimestamp - $createdTimestamp) / 3600) * 100 | floor) / 100) end)
          relations:
            repository: .__repository