Git Integration
Git is a distributed version control system designed to handle everything from small to very large projects with speed and efficiency.
Orvanta has a dedicated resource type used for Git sync, to sync an Orvanta workspace to a remote repository that will automatically commit and push scripts, flows and apps on each deploy.
GitHub App
Section titled “GitHub App”Instead of using a long-lived personal access token to authenticate with GitHub for Git sync, you can use the GitHub App to authenticate with GitHub. This allows you to control which repositories can be accessed by your Orvanta deployment using a short-lived GitHub app installation token.
GitHub App is available under Orvanta Enterprise.
Network requirements
Section titled “Network requirements”The GitHub App feature requires your Orvanta instance to communicate with https://stats.orvanta.cloud to obtain GitHub installation tokens. This is the same endpoint used for telemetry.
If your GitHub organization uses IP allow lists, you will need to whitelist the IP address of stats.orvanta.cloud to allow it to request installation tokens from GitHub on behalf of your Orvanta instance. Contact support to get the current IP address.
This network requirement only applies to the Orvanta-managed GitHub App. If you use a self-managed GitHub App, your Orvanta instance communicates directly with your GitHub instance. In that case, if your GitHub organization uses IP allow lists, whitelist your Orvanta instance’s IP address instead.
As an Orvanta workspace admin, you can install the GitHub app to multiple organizations and link them to your Orvanta workspaces. Once an app has been installed to a workspace, you can install it to other workspaces where you have the admin role.
You will only be able to use the installation token for Git sync.
Importing / exporting to/from another Orvanta instance
Section titled “Importing / exporting to/from another Orvanta instance”A GitHub app can only be installed to a GitHub organization once. Hence to associate an installation to multiple Orvanta instances you need to export the associated JWT token on the source instance using the “Export” button and paste the JWT in the destination instance to import the installation.
The JWT token associated to your GitHub app installation is sensitive and has the rights to request a short-lived installation token. To revoke the JWT, you need to uninstall the GitHub app from your organization and re-install it to re-associate it with an Orvanta instance.
Self-managed GitHub App
Section titled “Self-managed GitHub App”Instead of using the Orvanta-managed GitHub App, you can register your own GitHub App on any GitHub instance — whether GitHub.com or a GitHub Enterprise Server (GHES) instance. This gives you full control over the app configuration and removes the dependency on stats.orvanta.cloud, as tokens are exchanged directly between your Orvanta instance and your GitHub instance.
This feature is Enterprise Edition only and is configured at the instance level by a superadmin.
To set up a self-managed GitHub App:
- Register a new GitHub App on your GitHub instance (github.com or your GHES instance).
- In Orvanta Instance Settings, go to Advanced > GitHub Enterprise App and enable “Self-managed GitHub App (for GHES or custom GitHub App)”.
- Fill in the app details: Base URL (e.g.
https://github.comor your GHES URL), App ID, App Slug, Client ID, and Private Key (PEM). - Install the GitHub App to your organization on your GitHub instance.
Once configured, the self-managed GitHub App can be used for Git sync authentication in the same way as the managed GitHub App. Host-based installation filtering ensures tokens are scoped to the correct GitHub instance, preventing token leakage across instances.