⚠️ Breaking Change: Shared GitHub App Host Configuration
Affected Deployments
This change affects self-hosted deployments where the shared GitHub App (INF_APP_CONNECTION_GITHUB_APP_*) is registered on a GitHub Enterprise Server (GHES) instance rather than github.com.
The shared GitHub App is now bound to a single, server-configured host through the INF_APP_CONNECTION_GITHUB_APP_HOST environment variable.
Previously, the host could be supplied by the client during the OAuth or installation exchange. The backend now ignores any client-provided host for the shared GitHub App and always uses INF_APP_CONNECTION_GITHUB_APP_HOST, defaulting to github.com when the variable is not set.
This change improves security by preventing clients from redirecting the OAuth exchange to an arbitrary GitHub host and potentially exposing the shared app's client secret.
Impact
GitHub.com Deployments
No action is required. If INF_APP_CONNECTION_GITHUB_APP_HOST is not set, the application defaults to github.com and behavior remains unchanged.
GitHub Enterprise Server (GHES) Deployments
If your shared GitHub App is registered on a GHES instance, you must configure INF_APP_CONNECTION_GITHUB_APP_HOST with your GHES hostname.
If this variable is not configured, the shared GitHub App will resolve to github.com, causing GitHub App connection flows against your GHES instance to fail.
Required Action
Add the following environment variable to your backend configuration:
INF_APP_CONNECTION_GITHUB_APP_HOST=github.example.comReplace github.example.com with the hostname of the GitHub instance where your shared GitHub App is registered.
Leave this variable unset if your shared GitHub App is registered on github.com.
What's Changed
- chore: revert add kmip client registration with CSR" by @sheensantoscapadngan in #6778
- feat: allow multiple git hub apps per organization by @Thiago-AS in #6490
- feat(validation-rules): dynamic secrets and rotations support by @varonix0 in #6773
- fix(cert-manager): default to member role and enforce admin/member-only by @saifsmailbox98 in #6761
- fix: clean up app permissions when entities are removed by @carlosmonastyrski in #6744
- fix(telemetry): group PKI Sync aggregation by destination for clean PostHog breakdowns by @devin-ai-integration[bot] in #6786
- docs(ansible): add warning for token visibility in login task by @victorvhs017 in #6789
- fix(e2e): seed standing admin in gamma e2e org by @PrestigePvP in #6785
- improvement(router): change route creation to avoid memory stack exceeded error by @adilsitos in #6784
- fix: pki application members have to be product users to be added to an app by @carlosmonastyrski in #6750
- feat: convex secret rotation by @mathnogueira in #6730
- feat: migrate general, product and security settings tabs to v3 and update org settings title based on tab by @scott-ray-wilson in #6753
- improvement: migrate toast to v3, improve behavior, add stories and u… by @scott-ray-wilson in #6760
- feat: add Infisical OAuth 2.0 support by @Thiago-AS in #6772
- feat: improvements in checks by @akhilmhdh in #6798
- ci: disable preview environment workflow by @devin-ai-integration[bot] in #6799
- feat: added go shadowing by @akhilmhdh in #6751
- fix(telemetry): attach orgId as flat property on aggregated events by @devin-ai-integration[bot] in #6800
- docs(eng-5200): document domain in .infisical.json and INFISICAL_DOMAIN by @PrestigePvP in #6797
- improvement: improve toast validation/forbid modal handling and update forbid modal UI by @scott-ray-wilson in #6801
- feat(kmip): remove machine identities from KMIP server registration by @bernie-g in #6740
- feat(frontend): hide all-projects view from users without request-access permission by @PrestigePvP in #6774
- feat(secrets-insight): detect duplicate secret values by @mathnogueira in #6747
- fix: use gateway in case of private GHE server by @Thiago-AS in #6803
- improvement: migrate create service token modal to v3 components and sheet by @scott-ray-wilson in #6804
- fix: application list shows not more than 20 entries by @carlosmonastyrski in #6792
Full Changelog: v0.160.12...v1.0.0