Native/CLI agent that authenticates via the Device Authorization Grant (RFC 8628), then uses Vouch's credential brokering API to obtain a GitHub installation token. Optionally clones a private repository using the brokered token.
No client secret is needed. The user authenticates by visiting a URL in their browser and entering a code.
- Device auth flow -- The agent requests a device code from Vouch and displays a verification URL and user code. The user signs in via their browser.
- GitHub token -- After authentication, the agent calls Vouch's
/v1/credentials/github/tokenendpoint with the access token to get a scoped GitHub installation token. - Clone (optional) -- If
GITHUB_REPOis set, the agent clones the repository using the brokered token.
| Variable | Required | Description |
|---|---|---|
VOUCH_ISSUER | No | OIDC issuer URL (default: https://us.vouch.sh) |
VOUCH_CLIENT_ID | Yes | The public client ID |
GITHUB_OWNER | No | GitHub organization or user to scope the token to |
GITHUB_REPOSITORIES | No | Comma-separated list of repository names to scope the token to |
GITHUB_REPO | No | Repository name to clone after obtaining the token |
docker build -t vouch-python-agent-github . docker run -it \ -e VOUCH_ISSUER=https://us.vouch.sh \ -e VOUCH_CLIENT_ID=your-client-id \ -e GITHUB_OWNER=your-org \ vouch-python-agent-githubTo clone a private repository:
docker run -it \ -e VOUCH_ISSUER=https://us.vouch.sh \ -e VOUCH_CLIENT_ID=your-client-id \ -e GITHUB_OWNER=your-org \ -e GITHUB_REPO=your-private-repo \ vouch-python-agent-github