Connect providers
GitHub
Connect GitHub via OAuth, scope policies per-repo, route writes through step-up.
GitHub is the reference connector. Most patterns here apply unchanged to Slack, Linear, Notion, Stripe.
Before you start
- A GitHub account with access to the org / repos you want exposed.
- If your org has 'third-party access approval' enabled, an org owner needs to approve Nomos.
Connect
- 1Initiate from the dashboard
Connections → Connect → GitHub. The button opens GitHub's OAuth consent screen in a new tab.
- 2Pick the right account / org
GitHub shows account picker. Pick the org you want Nomos to see. Per-org consent matters: a personal-account consent does not grant Nomos access to your work org.
Pick the org carefully. You can re-connect later to add more, but each org is its own consent. - 3Approve
Nomos requests
repo,read:user,read:org. These are the ceiling. Your Cedar policy then narrows what an agent can actually do.
Available commands
| Command | What it does |
|---|---|
/github/issue/list | list issues |
/github/issue/get | read one issue |
/github/issue/create | open issue |
/github/issue/update | edit issue (title, body, labels, state) |
/github/pr/list | list pull requests |
/github/pr/create | open PR |
/github/pr/merge | merge PR (default step-up) |
/github/branch/create | create branch from a sha |
/github/repo/get_file | read a file at a ref |
/github/repo/put_file | write a file (default step-up) |
/github/repo/list_files | list paths in a repo |
/github/release/create | cut a release (default step-up) |
Full catalog: pnpm cb actions github.
Starter policies
github:read-only—repo/get_file,repo/list_files,issue/*read,pr/list. No writes.github:safe-default— all of read-only +issue/create,issue/update,pr/create. PR merge, file put, release create require step-up.github:org-pinned— same as safe-default but constrained to a single org.github:repo-pinned— narrowed to one repo. Useful for codegen agents.
Pick one in Policies → From template → GitHub.
Cedar fragment
permit (
principal,
action in [Action::"/github/issue/list", Action::"/github/issue/get",
Action::"/github/repo/get_file", Action::"/github/repo/list_files"],
resource
) when {
resource.owner == "acme" && resource.repo == "app"
};
permit (
principal,
action == Action::"/github/pr/create",
resource
) when {
resource.owner == "acme" && resource.repo == "app"
&& context.cosigner == true
};
Operational gotchas
Token expired immediately+
Check the clock skew on your control-plane host. NTP drift >60s breaks GitHub OAuth signatures.Agent gets 404 on a repo it should see+
GitHub OAuth scopes are at consent time. If Nomos was consented before the repo was created, re-consent on the Connections row.Want different agents to see different repos+
Use Cedar `when { resource.repo == "…" }` per-policy. Nomos doesn't manage GitHub OAuth scope — Cedar does.