Git Providers
GitHub, GitLab, and Bitbucket OAuth integration with automatic token refresh.
Git Providers
Git provider integrations enable repository access for GitOps workflows. Three providers are supported via OAuth.
Supported Providers
| Provider | Auth Method | Token Refresh |
|---|---|---|
| GitHub | OAuth 2.0 | Automatic via refresh token |
| GitLab | OAuth 2.0 | Automatic via refresh token |
| Bitbucket | OAuth 2.0 (Basic Auth for refresh) | Automatic via refresh token |
Connection Flow
Click Connect
Click "Connect" on the provider card in the Integrations page.
OAuth Authorization
You're redirected to the provider's authorization page. Grant the application access to your repositories.
Callback
The provider redirects back to Trellis with an authorization code. Supabase exchanges it for access and refresh tokens.
Token Storage
A database trigger copies the tokens from auth.identities to the provider_tokens table. All tokens are encrypted at rest by Supabase.
Token Refresh
Git tokens have limited lifetimes. The getValidProviderToken() server action handles refresh automatically:
- Reads the token from
provider_tokens - Checks
expires_at— if in the past, initiates refresh - Calls the provider's token refresh endpoint:
- GitHub:
POST github.com/login/oauth/access_token - GitLab:
POST gitlab.com/oauth/token - Bitbucket:
POST bitbucket.org/site/oauth2/access_token
- GitHub:
- Updates the token in the database
- Returns the valid access token
This happens transparently whenever a Git operation is needed.
What Tokens Are Used For
- Repository listing — the Plant a Vine form shows repos from your connected provider
- ArgoCD access — after deploying, ArgoCD uses the token to watch repositories for changes
- Template cloning — infrastructure templates can be sourced from your repositories
Disconnecting
Disconnecting a Git provider:
- Deletes the
provider_tokensrecord - Revokes the OAuth grant with the provider via Supabase unlink
- Existing ArgoCD installations that use this token will lose repository access
Disconnecting a Git provider affects all vines that use repositories from that provider. ArgoCD will show "sync failed" until a new token is provided.