GitHub repo invite

Sells access to a private GitHub repository. After payment, the buyer receives a repo invite by email (and via GitHub UI).

What it does

When an order is marked paid, the glue calls POST /repos/{owner}/{repo}/collaborators/{username} (Octokit) with the configured permission. The buyer's GitHub username comes from their Logto profile (the GitHub OAuth connector populates it on sign-in).

Prerequisites

Step-by-step

  1. Create a fine-grained PAT at https://github.com/settings/personal-access-tokens.

    • Resource owner: your org (or user).
    • Repository access: the specific repo.
    • Permissions → Repository → Administration: Read and write.

  2. Set it in .env:

    GITHUB_APP_PRIVATE_KEY=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GITHUB_ORG_SLUG=your-org

  3. Restart the glue: docker compose up -d glue.

  4. In the dashboard, create or edit a product. Add an entitlement of type GitHub invite:

    • Repo: your-org/your-repo
    • Permission: pull (read-only) or push (collaborator).

  5. Enable the GitHub OAuth connector in Logto admin (https://auth.<your-domain>/admin → Connectors).

Troubleshooting

| Symptom | Likely cause | |---|---| | Entitlement stays pending, error: Not Found | repo/owner typo, or PAT scope insufficient | | Entitlement fails: User not found | buyer signed up with email, not GitHub OAuth — see Prerequisites | | Invite is sent but buyer says they didn't get it | GitHub sends to the primary email tied to the GitHub account; buyer should check there or open https://github.com/notifications | | 403 Resource not accessible by integration | fine-grained PAT missing Administration: write on the repo |

Coming after MVP launch

GitHub App (vs PAT) for org-wide installation, plus team membership entitlements.