Connect to a GitHub Enterprise host
This page explains how to connect aGitHub Enterprise host to Cloud Build.
Before you begin
Enable the Cloud Build and Secret Manager APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
- Ensure that you have thelatest version of GitHub Enterprise.
Ensure you map a custom domain to your GitHub Enterprise host and have a validSSL certificate for your host.
Note: If your GitHub Enterprise host is running on a Compute Engineinstance, you cancreate an External HTTP(s) Load Balancer,anduse a Google-managed SSLcertificate for your instance.If your GitHub Enterprise instance is hosted in a private network, seeBuild repositories from GitHub Enterprise in a private network prior to completinginstructions on this page.
Required IAM permissions
To connect your GitHub Enterprise host, grant the Cloud Build Connection Admin (roles/cloudbuild.connectionAdmin)role to your user account.
To add the required roles to your user account, seeConfiguring access to Cloud Build resources. Tolearn more about IAM roles associated with Cloud Build, seeIAM roles and permissions.
To create connections usinggcloud installation steps, grant theSecret Manager Admin role (roles/secretmanager.admin) tothe Cloud Build Service Agent by running the following commandin your Google Cloud project:
PN=$(gcloudprojectsdescribe${PROJECT_ID}--format="value(projectNumber)")CLOUD_BUILD_SERVICE_AGENT="service-${PN}@gcp-sa-cloudbuild.iam.gserviceaccount.com"gcloudprojectsadd-iam-policy-binding${PROJECT_ID}\--member="serviceAccount:${CLOUD_BUILD_SERVICE_AGENT}"\--role="roles/secretmanager.admin"roles/secretmanager.admin)after your connection is in stateCOMPLETE. To learn more, seeGranting a role to the Cloud Build service agent.If your GitHub Enterprise instance is hosted in a private network,seeBuild repositories from GitHub Enterprise in a private network tolearn about additional IAM roles required prior tohost connection.
Connect to a GitHub Enterprise host
Console
To connect your GitHub Enterprise host to Cloud Build:
Open theRepositories page in the Google Cloud console.
You will see theRepositories page.
In the project selector in the top bar, select your Google Cloud project.
At the top of the page, select the2nd gen tab.
ClickCreate host connection to connect a new host to Cloud Build.
On the left panel, selectGitHub Enterprise as your source provider.
In theConfigure Connection section, enter the following information:
Region: Select a region for your connection.
Note: You must specify a region. Your connection cannot exist globally.Name: Enter a name for your connection.
In theHost details section, enter the following information:
Host URL: Enter the host URL for your connection. For example,
github.example.comCA Certificate: Click Browse to upload your self-signed certificate.
Note: Your certificate must not exceed 10 KB in size and should be inPEM format (.pem,.cer, or.crt). If this section is left blank,adefault set of certificates will be used in place.UnderConnection type, select one of the following options:
Public internet: Select this option if your instance is accessible via the public internet.
Private network access: Select this option if your instance is hosted in a private network.
UnderService Directory service, selection the location for your service:
- In project
your-project - In another project
- Enter manually
If you selectIn another project orEnter manually, enter thefollowing information:
Project: Enter or select your Google Cloud project ID from the drop-down menu.
Region: This field pre-selects the region of your connection. The region specifiedfor your service must match the region associated with your connection.
Namespace: Select the namespace of your service.
Service: Select the service name in your namespace.
- In project
ClickConnect.
After clicking theConnect button, you will be asked to create a GitHub App in yourGitHub Enterprise host and install the app in a user account or organization. Anauthentication token from your GitHub Enterprise host will be created and stored in thisproject as a Secret Manager secret. You may revoke access by uninstalling ordeleting the GitHub app from your host at any time.
Cloud Build stores the authentication data of the createdGitHub App as secrets in Secret Manager in your project.This data includes your private key and webhook secret.The private key is used as an authentication method to access the APIof the Enterprise Server. The webhook secret is used to validate theevents sent from the server to Cloud Build. The Cloud BuildService Agent account (
service-{projectNumber}@gcp-sa-cloudbuild.iam.gserviceaccount.com)is used to access your secret. To view your secret,seeList secrets and view secret details.After authorizing the Cloud Build GitHub App, you will beredirected to the Cloud BuildRepositoriespage.
gcloud
To connect your GitHub Enterprise host to Cloud Build usinggcloud commands, complete the following steps:
Enter the following command to create a GitHub Enterprise connection:
gcloudbuildsconnectionscreategithub-enterpriseCONNECTION_NAME\--host-uri=HOST_URI--region=REGIONWhere:
- CONNECTION_NAME is a name for your GitHub Enterprise host connection in Cloud Build.
- HOST_URI is the URI of your GitHub Enterprise instance. For example,
https://mmy-ghe-server.net. - REGION is theregion for your connection.
If your GitHub Enterprise instance is in a private network, specify yourService Directory resource. You can also specify your CA certificate.
--service-directory-service=projects/PROJECT_ID/locations/REGION/namespaces/NAMESPACE/services/SERVICE_NAME \--ssl-ca-file=SSL_CA_FILEPATHWhere:
- PROJECT_ID is your Google Cloud project ID.
- REGION is theregion for your connection.
- NAMESPACE is the namespace for your service.
- SERVICE_NAME is the name of your service in your namespace.
- SSL_CA_FILEPATH is the path to your CA certificate.
After running the
gcloud builds connections...command, you willreceive a link to install the Cloud Build GitHub app.Follow the link returned in the previous step to create and install theCloud Build GitHub App on your enterprise server.
Enter the following command to verify your connection:
gcloudbuildsconnectionsdescribeCONNECTION_NAME--region=REGIONWhere:
- CONNECTION_NAME is the name of your GitHub Enterprise host connection in Cloud Build.
- REGION is theregion for your connection.
If the
installationStatefield is set toCOMPLETE, you have successfullyinstalled the connection. Otherwise, theinstallationStatefield providesa link for additional steps required.
Connect to a GitHub Enterprise host programmatically
To connect your GitHub Enterprise host programmatically to Cloud Build,you must install the GitHub app by completing the following steps:
Register a new GitHub app. For example, you may register a newGitHub app at
https://my-ghe-server.net/settings/apps/new.Complete the fields on the page:
- GitHub App Name: Enter a name for your app.
- Homepage URL: Enter a URL for your GitHub Enterprise Server.
- Clear the box forExpire user authorization tokens.
- In theWebhook section, complete the following steps:
- Active: Check the box to activate your webook.
- Webhook URL: Enter your webhook URL. For example,
https://cloudbuild.googleapis.com/v2/projects/{PROJECT_NUMBER}/locations/{REGION}/connections:processWebhook. The region in the webhook URL must match the regionof your connection. - Webhook secret: Enter a randomly generated string and take note of it.
- In thePermissions section, specify the following permissions:
- Repository permissions:
- Checks: Read and write
- Contents: Read and write
- Issues: Read-only
- Metadata Read-only
- Commit statuses: Read-only
- Pull requests: Read-only
- Repository permissions:
- In theSubscribe to events section, check the following boxes:
- Check run
- Check suite
- Commit comment
- Issue comment
- Pull request
- Pull request review comment
- Push
- Repository
- Check the box forAny account to allow your GitHub app to be installed by any user or organization.
ClickCreate GitHub app to create your GitHub app.
One you clickCreate GitHub app, you will be redirected to your app page. Takenote of your App ID and the App slug. The App slug can be found in the last segment of the URL of the page.For example,
https://my-ghe-server.net/settings/apps/{app-slug}In thePrivate keys section, clickGenerate a private key.
Store the downloaded file in a secure place.
In the left pane, selectInstall App.
Select the user or organization where you want to install the app. After the app is installed,take note of the installation ID. The installation ID can be found in the last segment of the URLof the page. For example,
https://my-ghe-server.net/settings/installations/{installation-id}.
After you have installed your GitHub app, complete the following steps toconnect your GitHub Enterprise host programmatically using Terraform orgcloud.
Terraform
Once you have installed your GitHub app, you can connect your GitHub Enterprise hostto Cloud Build using the Google Terraform provider.
In the following example, the code snippet does the following:
- Configures the Terraform Google provider
- Creates a secret to store the GitHub App's private key and webhook secret
- Grants necessary permissions to the Cloud Build Service Agent to access secrets
Creates a GitHub Enterprise connection
// Configure the terraform google providerterraform{required_providers{google={}}}// create Secrets and grant permissions to the Service Agentresource"google_secret_manager_secret""private-key-secret"{project="PROJECT_ID"secret_id="PRIVATE_KEY_SECRET"replication{auto{}}}resource"google_secret_manager_secret_version""private-key-secret-version"{secret=google_secret_manager_secret.private-key-secret.idsecret_data=file("private-key.pem")}resource"google_secret_manager_secret""webhook-secret-secret"{project="PROJECT_ID"secret_id="WEBHOOK_SECRET"replication{auto{}}}resource"google_secret_manager_secret_version""webhook-secret-secret-version"{secret=google_secret_manager_secret.webhook-secret-secret.idsecret_data="WEBHOOK_SECRET_VALUE"}data"google_iam_policy""serviceagent-secretAccessor"{binding{role="roles/secretmanager.secretAccessor"members=["serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com"]}}resource"google_secret_manager_secret_iam_policy""policy-pk"{project=google_secret_manager_secret.private-key-secret.projectsecret_id=google_secret_manager_secret.private-key-secret.secret_idpolicy_data=data.google_iam_policy.serviceagent-secretAccessor.policy_data}resource"google_secret_manager_secret_iam_policy""policy-whs"{project=google_secret_manager_secret.webhook-secret-secret.projectsecret_id=google_secret_manager_secret.webhook-secret-secret.secret_idpolicy_data=data.google_iam_policy.serviceagent-secretAccessor.policy_data}// create the connection and add the repository resource ---resource"google_cloudbuildv2_connection""my-connection"{project="PROJECT_ID"location="REGION"name="CONNECTION_NAME"github_enterprise_config{host_uri="URI"private_key_secret_version=google_secret_manager_secret_version.private-key-secret-version.idwebhook_secret_secret_version=google_secret_manager_secret_version.webhook-secret-secret-version.idapp_id="APP_ID"app_slug="APP_SLUG"app_installation_id=INSTALLATION_ID}depends_on=[google_secret_manager_secret_iam_policy.policy-pk,google_secret_manager_secret_iam_policy.policy-whs]}
Where:
- PROJECT_ID is your Google Cloud project ID.
- PRIVATE_KEY_SECRET is the secret containing your GitHub App's private key.
- WEBHOOK_SECRET is the secret name containing your GitHub App's webhook secret value.
- WEBHOOK_SECRET_VALUE is the value of your GitHub App's webhook secret.
- REGION is theregion for your connection.
- CONNECTION_NAME is a name for your GitHub Enterprise host connection in Cloud Build.
- URI is the URI of your connection. For example,
https://my-github-enterprise-server.net. - APP_ID is the ID of your GitHub App.
- APP_SLUG is the app slug. For example,
https://github.com/settings/apps/{app-slug}. - INSTALLATION_ID is the installation ID of your GitHub app. Yourinstallation ID can be found in the URL of your Cloud BuildGitHub App,
https://github.com/settings/installations/{installation-id}.
gcloud
After you have installed your GitHub app, complete the following steps toconnect your GitHub Enterprise host programmatically usinggcloud:
Store your secrets in Secret Manager:
echo-nWEBHOOK_SECRET|gcloudsecretscreatemygheapp-webhook-secret--data-file=-# creating secret from the downloaded private key:gcloudsecretscreatemygheapp-private-key--data-file=PRIVATE_KEY_FILEWhere:
- WEBHOOK_SECRET is the string you created for your webhook secret.
- PRIVATE_KEY_FILE is the path to the private key you generated.
Grant access to the Cloud Build Service Agent to access your secrets:
PROJECT_NUMBER=$(gcloudprojectsdescribePROJECT_ID--format="value(projectNumber)")CLOUD_BUILD_SERVICE_AGENT="service-$PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com"gcloudsecretsadd-iam-policy-bindingmygheapp-webhook-secret\--member="serviceAccount:$CLOUD_BUILD_SERVICE_AGENT" \--role="roles/secretmanager.secretAccessor"gcloudsecretsadd-iam-policy-bindingmygheapp-private-key\--member="serviceAccount:$CLOUD_BUILD_SERVICE_AGENT" \--role="roles/secretmanager.secretAccessor"Where:
- PROJECT_ID is your Google Cloud project ID.
- CLOUD_BUILD_SERVICE_AGENT is your Per-Product Per-Project account.
Create your GitHub Enterprise connection:
gcloudbuildsconnectionscreategithub-enterpriseCONNECTION_NAME\--host-uri=HOST_URI\--app-id=APP_ID\--app-slug=APP_SLUG\--private-key-secret-version=projects/PROJECT_ID/secrets/mygheapp-private-key/versions/1\--webhook-secret-secret-version=projects/PROJECT_ID/secrets/mygheapp-webhook-secret/versions/1\--app-installation-id=INSTALLATION_ID\--region=REGIONWhere:
- CONNECTION_NAME is a name for your GitHub Enterprise host connection in Cloud Build.
- HOST_URI is the URI of your GitHub Enterprise instance. For example,
https://mmy-ghe-server.net. - APP_ID is the ID of your GitHub App.
- APP_SLUG is the app slug. For example,
https://my-ghe-server.net/settings/apps/app-slug. - PROJECT_ID is your Google Cloud project ID.
- INSTALLATION_ID is the installation ID of your GitHub app. For example,
https://my-ghe-server.net/settings/installations/installation-id - REGION is theregion for your connection.
If your GitHub Enterprise instance is in a private network, specify yourService Directory resource. You can also specify your CA certificate.
--service-directory-service=projects/PROJECT_ID/locations/REGION/namespaces/NAMESPACE/services/SERVICE_NAME \ --ssl-ca-file=SSL_CA_FILEPATHWhere:
- PROJECT_ID is your Google Cloud project ID.
- REGION is theregion for your connection.
- NAMESPACE is the namespace of your service.
- SERVICE_NAME is the name of your service in your namespace.
- SSL_CA_FILEPATH is the path to your CA certificate.
Next steps
- Learn how toconnect a repository to GitHub Enterprise.
- Learn how toperform blue-green deployments on Compute Engine.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-24 UTC.