Feat: automatic github app creation for self-hosting

[Meldiron]

What does this PR do?

Adds component to automatically create pre-configured app

Test Plan

Manual QA:

CleanShot.2026-02-11.at.18.18.51.mp4

(build worker didnt work well at the end, becasue I only restarted appwrite container after providing VCS details in ENV file)

Related PRs and Issues

x

Have you read the Contributing Guidelines on issues?

Yes

Summary by CodeRabbit

• New Features

  • Added an automated GitHub App setup flow to guide and complete app creation and configuration.

• Documentation

  • Restructured GitHub App configuration guide with automatic/manual setup paths, environment variable reference, verification steps, and a troubleshooting section.

• Chores

  • Updated security policy to allow necessary GitHub and CDN/API resources for the new setup flow.

[coderabbitai]

Walkthrough

Updated server CSP to allow GitHub and related endpoints (form-action added for github.com; connect-src expanded). Added a new Svelte component src/markdoc/tags/GitHub_App_Form.svelte that implements a GitHub App manifest-based creation flow, session state handling, manifest submission, API exchange for app credentials, UI states, and exports env-style output. Re-exported the component from src/markdoc/tags/_Module.svelte. Documentation files were reorganized: configure-github-app.md split into automatic/manual flows and headings adjusted; the version-control page gained an Environment variables section and expanded verification/troubleshooting content.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Feat: automatic github app creation for self-hosting' directly describes the main feature added: a new component enabling automatic GitHub App creation for self-hosted Appwrite instances.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-automatic-github-app

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@src/markdoc/tags/GitHub_App_Form.svelte`:
- Around line 159-171: The envContent function currently wraps the raw PEM in
double quotes but only strips a trailing newline, which leaves internal literal
newlines that break .env parsing; update envContent (and its use of config.pem)
to escape internal newlines to the two-character sequence "\n" (e.g. replace all
newline characters with '\\n') and then remove any trailing newline if present
before interpolating into the returned dotenv string so the PEM becomes a
single-line, backslash-n-escaped value that Docker Compose and other .env
parsers accept.

In `@src/partials/configure-github-app.md`:
- Line 15: Fix the typo in the documentation: replace the word "manially" with
"manually" in the sentence "You can create your GitHub app manially by filling
[GitHub app creation form]..." inside src/partials/configure-github-app.md so
the sentence reads "You can create your GitHub app manually by filling [GitHub
app creation form]...".

In
`@src/routes/docs/advanced/self-hosting/configuration/version-control/`+page.markdoc:
- Around line 68-75: Remove the duplicate "## Troubleshooting {%
`#troubleshooting` %}" block and its repeated paragraph (the second occurrence
that duplicates the "Update existing GitHub apps" content); locate the redundant
heading and its three-line paragraph (the repeated GitHub app permissions
instructions) and delete them so only the original Troubleshooting section and
unique anchor remain, ensuring no duplicate anchor ID or repeated text.

🧹 Nitpick comments (3)

src/markdoc/tags/GitHub_App_Form.svelte (3)

184-190: $effect may re-trigger completeSetup on unrelated URL changes.

This effect runs on every reactive read of page.url. If anything else causes a URL search-param change while code and state are still present (before goto clears them), or if the goto itself triggers a re-run before loading is set, there could be a race. The guards (!appConfig && !loading) mitigate this, but consider using $effect with untrack on the guards, or using onMount for a one-shot callback check to be safe.

---

91-98: organizationHandle is interpolated into the form action URL without sanitization.

While the risk is limited since the user controls their own input and this targets a GitHub URL, consider encoding the handle to avoid malformed URLs (e.g., handles with special characters).

Proposed fix

         const baseUrl =
             isOrganization && organizationHandle
-                ? `https://github.com/organizations/${organizationHandle}/settings/apps/new`
+                ? `https://github.com/organizations/${encodeURIComponent(organizationHandle)}/settings/apps/new`
                 : 'https://github.com/settings/apps/new';

---

29-41: Hostname validation rejects hosts with port numbers.

Self-hosters behind proxies may use domains with ports (e.g., appwrite.example.com:8080). The current regex ^[a-zA-Z0-9-]+$ on each part will reject colons. If port support is intentionally excluded, consider adding a hint in the UI.

[Copilot]

Pull request overview

Adds an “automatic GitHub App setup” flow to the self-hosting docs by embedding a Markdoc/Svelte form that generates a GitHub App via manifest conversion, and updates docs/CSP to support the new flow.

Changes:

• Introduces a new Markdoc tag component (GitHub_App_Form) to create a GitHub App via GitHub App Manifest and output the required .env values.
• Reorganizes version-control self-hosting docs (moves env var + “update existing apps” guidance into the version-control page, adds section anchors).
• Updates CSP to allow posting forms to GitHub and fetching from api.github.com.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/routes/docs/advanced/self-hosting/configuration/version-control/+page.markdoc	Expands and restructures the version control self-hosting documentation, adds anchors and env-var guidance.
src/partials/configure-github-app.md	Adds automatic setup section and embeds the new Markdoc tag; keeps manual setup instructions.
src/markdoc/tags/_Module.svelte	Exposes the new GitHub_App_Form tag to Markdoc.
src/markdoc/tags/GitHub_App_Form.svelte	New client-side form + GitHub manifest conversion logic and .env output generation.
src/hooks.server.ts	CSP updates to permit the GitHub form POST and GitHub API calls from the docs page.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/markdoc/tags/GitHub_App_Form.svelte`:
- Around line 60-111: The submit() function sets submitting = true but never
resets it; update the component to clear submitting when the flow is aborted by
adding submitting = false inside the existing reset() function (so reset()
always re-enables the button) and also ensure submitting is initialized/reset on
mount or via a reactive effect that checks URL searchParams (no code/state
present) to set submitting = false; reference submit(), reset(), and the
STATE_KEY/state verification logic (and the code/state URL param checks) when
making these changes.