GitHub
Connecting repositories, the GitHub App, branches, and pull requests
GitHub
Foxl Code works on your repositories through a GitHub App. Agents clone your repo into their VM, push a branch, and open a pull request - they never get your personal credentials.
Connecting a repository
- Go to Repos in the sidebar.
- Click Connect GitHub.
- Install the Foxl Bot GitHub App on your account or organization.
- Select which repositories to grant access to.
- Your repos appear on the Repos page and in the top-bar repo picker.
What the App can access
The GitHub App requests only what it needs to open and update PRs:
| Scope | Access |
|---|---|
| Contents | Read / Write |
| Issues | Read / Write |
| Pull Requests | Read / Write |
| Metadata | Read |
| Checks | Read |
| Workflows | Read |
Access tokens are minted per task, scoped to the installation, and live about an hour (never longer than twice the task's budget window). They are passed to the agent's VM for that task only and are never stored.
Branches and pull requests
- Branch name - each task pushes to a deterministic branch,
foxl/<task-id-suffix>. Because it is deterministic, a retry re-pushes to the same branch instead of creating a duplicate. - Pull request - when the agent finishes, it opens a PR from its branch into the repository's default branch. If a PR for that branch already exists, the agent recovers and reuses it rather than failing.
- Issues - when the orchestrator plans multi-PR work, a checkbox can open a GitHub Issue so the work is tracked in your repo as well as in Foxl.
Webhooks
Foxl listens for issues, issue_comment, pull_request, pull_request_review_comment, and check events so it can advance a Task Document's checkboxes as PRs are opened and merged. Incoming webhooks are verified with an HMAC signature, and a PR is matched back to its task by the exact branch suffix.