Part 2: Rethinking Feedback - GitHub App Setup

In Part 1, we explored why traditional feedback channels - like email, social media, and public GitHub issues - often fall short for everyday users. They're clunky, disjointed, and unintuitive for people who just want to say, "Hey, something's not working."

Now, it's time to move from theory to practice.

In this part, we'll set up a GitHub App that acts as a secure bridge between your app and your GitHub repository¹. This forms the backbone of the system that FormLogger uses to quietly log feedback as GitHub issues - all behind the scenes, powered by a lightweight backend like a Cloudflare Worker.

In case it wasn't obvious from the title, this walkthrough is based on GitHub. There are other git platforms out there that might offer similar features, and you could absolutely adapt this approach to fit those. But here, I'm just sharing what I actually use and how I've set it up in my own workflow.

Why Use a GitHub App?

When you're building a system that needs to interact with GitHub - like logging issues from within your app - you have a few integration options. But the most secure, flexible, and future-proof choice is to use a GitHub App.

Unlike personal access tokens, GitHub Apps give you precise control over what your integration can and can't do. You can limit the app's access to only specific repositories, rather than your entire account. You can set fine-grained permissions, allowing it to create issues, but not touch code, read pull requests, or access anything else.

Another big advantage: GitHub Apps don't expose your personal identity when making API calls. That separation matters, especially in team environments or public repositories. And if you ever need to rotate credentials - like when a key is compromised or just needs refreshing - GitHub makes it easy to revoke or regenerate without breaking the app.

Most importantly, GitHub officially recommends this approach. It's the modern, secure way to build integrations - and that's exactly what we'll use.

Step 1: Create a GitHub App

Start by heading to your GitHub account's Developer Settings. From there, find the "GitHub Apps" section in the left-hand sidebar and click New GitHub App.

You'll now be asked to fill out some basic information about your app.

Field	What to Enter	Description
GitHub App name	`FeedbackBot`, `IssueLoggerApp`, etc.	A simple, descriptive name. This is how your app will be identified.
Homepage URL	Your personal or project website	A link users can visit to learn more about your app or project.
Callback URL	(Leave blank)	Not needed in this setup.
Setup URL	(Leave blank)	Not needed in this setup.
Webhook	(Leave unchecked)	Not needed in this setup.
Webhook URL	(Leave blank)	Not needed in this setup.
Webhook secret	(Leave blank)	Not needed in this setup.
Permissions	(Configure in next step)	We'll set this in the next section.

Once those fields are filled out, you're ready to move on and give the app the proper access to do its job.

Step 2: Set the Right Permissions

Once your GitHub App is created, you'll need to define exactly what it's allowed to do. This happens in the Permissions section - and the good news is, we only need one.

Since FormLogger's only task is to send feedback by creating GitHub issues, we can leave almost everything else untouched.

What to Enable

Under Repository permissions, enable:

Issues > Access: Read and write This is the only permission required. It allows the app to create issues in your repository.

What to Ignore

You can safely leave the rest of the permissions alone:

Organisation permissions - Not needed
Account permissions - Not needed

Where can this Github App be installed?

When setting up your GitHub App, I recommend selecting Only on this account. This ensures that the app is locked down and restricted to your own account, giving you full control over it.

The reason for this is simple: we're going to be using the .pem private key in the backend. You don't want to share this key with other users, as it gives access to your app's functionality. Keeping the app restricted to your account helps maintain security and prevents unintended access.

You can then Create GitHub App. After this, you'll be brought to the app settings page.

Step 3: Generate the Private Key

Next, GitHub will provide the credentials needed for your backend to authenticate securely with their API. One of these credentials is the private key - and it's an important one.

Here's what you'll receive:

App ID: Make sure to keep this handy; you'll need it for later.
Client ID: You can ignore these for now.
Private Key: You'll use this to authenticate your app with GitHub securely.

To get the private key, scroll down to "Private keys" and click on Generate a private key. It will create one and automatically download the .pem file.

You'll need this file when we set up the backend in Part 3, but also note down the Client ID and App ID as you will need these too.

You cannot re-download the .pem file once it's been generated. This is the only time it will be automatically downloaded. If you lose it, you'll need to regenerate it - and if you've already deployed your backend, you'll have to upload the new key there as well.

Step 4: Install the App to Your Account

Even though you've created the GitHub App, it still needs to be installed in your GitHub account (or organisation) before it can actually interact with your repositories.

To do this:

In the sidebar, click on the Install App button.
Select which account or organisation to install the app on.
Select the repositories you want the app to access. If you didn't limit repository access earlier, you can specify it here.

This step essentially gives the app permissions to start working with your repositories - allowing it to create issues and interact as needed.

You can always change the repository access later - from All repositories to Only select repositories (or the other way around). You're not locked into your initial choice. However, I recommend locking it down upfront for better security, especially when starting out.

Once you've installed the app to your account it will take you to it in your settings under Applications.

Step 5: Managing Repository Access After Installation

Once your GitHub App is installed on your account or organisation, you might need to add or remove repositories from the app's access list. If that's the case, here's how to manage it:

Go to your GitHub account settings or organisation settings.
Under Integrations, select Applications.
Find your app in the list and click Configure.
In the Repository Access section, you can either add new repositories or remove existing ones.

This flexibility allows you to adjust the app's access as your project evolves, without needing to reinstall or recreate the app.

Summary

At this point, you've successfully created a GitHub App that:

Is private and scoped to limit access
Has the permission to create issues
Is restricted to specific repositories
Uses a private key for secure authentication

This setup provides a solid, secure foundation for capturing structured feedback from your app and logging it directly into a GitHub issue tracker - all without ever exposing the user to GitHub itself.

In Part 3 we'll dive into setting up the Cloudflare Worker backend that will receive the feedback and handle the task of creating the actual GitHub issue.

You don't have to use GitHub - FormLogger just sends a POST request, so you can plug in any backend you like. GitHub is convenient, but you're free to build your own system. ⏎

Enjoyed this content? Fuel my creativity!

If you found this article helpful, you can keep the ideas flowing by supporting me. Buy me a coffee or check out my apps to help me create more content like this!

Coffee Check out my apps

Published: 2nd Jun 2025
Author: Mark Battistella
Copy the permalink
Share to BlueSky