GitHub

Name: QuantaSeal
Brand: QuantaSeal
Price: 69 AUD

DevOps

system_type: "github"

Proxy GitHub REST API v3 calls for repository management, CI/CD integration, and secret scanning.

Overview#

The GitHub connector proxies GitHub REST API v3 calls. Personal Access Tokens or GitHub App credentials are sealed in QuantaVault. Supports repository operations, pull requests, Actions workflows, and secret management.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_…

Prerequisites#

1A GitHub account or organisation
2A Personal Access Token (classic or fine-grained) with the required scopes

Configuration#

Follow these steps to connect GitHub to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In GitHub Settings → Developer Settings → Personal Access Tokens, create a fine-grained token with the required repo scopes.
2
Seal: POST /api/v2/vault/seal with credential_type: api_key.
3
Create integration with system_type: github, config: {owner: 'your-org', repo: 'your-repo'}.

Authentication Types#

Seal a fine-grained Personal Access Token as api_key. For GitHub App installations, use oauth2_token with the installation access token.

API KeyOAuth2 Token

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`list_repos`	List repositories for a user or organisation.
`get_repo`	Get repository metadata.
`list_pull_requests`	List open pull requests.
`create_issue`	Create a new issue.
`trigger_workflow`	Trigger a GitHub Actions workflow dispatch.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"integration_id":"int_GH001","operation":"list_pull_requests","payload":{"state":"open","base":"main"}}'

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

Resource not accessible by personal access token

Fine-grained tokens require explicit repository permission grants. Review the token's repository access in GitHub Settings.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference