superset-sh · saddlepaddle · Jan 6, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -13,6 +13,9 @@
 	"dependencies": {
 		"@electric-sql/client": "^1.3.1",
 		"@linear/sdk": "^68.1.0",
+		"@octokit/app": "^16.1.2",
+		"@octokit/rest": "^22.0.1",
+		"@octokit/webhooks": "^14.2.0",
 		"@sentry/nextjs": "^10.32.1",
 		"@superset/auth": "workspace:*",
 		"@superset/db": "workspace:*",

diff --git a/apps/api/src/app/api/electric/[...path]/utils.ts b/apps/api/src/app/api/electric/[...path]/utils.ts
@@ -1,5 +1,8 @@
 import { db } from "@superset/db/client";
 import {
+	githubInstallations,
+	githubPullRequests,
+	githubRepositories,
 	members,
 	organizations,
 	repositories,
@@ -13,6 +16,8 @@ import { QueryBuilder } from "drizzle-orm/pg-core";
 export type AllowedTable =
 	| "tasks"
 	| "repositories"
+	| "github_repositories"
+	| "github_pull_requests"
 	| "auth.members"
 	| "auth.organizations"
 	| "auth.users";
@@ -45,6 +50,60 @@ export async function buildWhereClause(
 		case "repositories":
 			return build(repositories, repositories.organizationId, organizationId);
 
+		case "github_repositories": {
+			// Get the GitHub installation for this organization
+			const installation = await db.query.githubInstallations.findFirst({
+				where: eq(githubInstallations.organizationId, organizationId),
+				columns: { id: true },
+			});
+
+			if (!installation) {
+				return { fragment: "1 = 0", params: [] };
+			}
+
+			return build(
+				githubRepositories,
+				githubRepositories.installationId,
+				installation.id,
+			);
+		}
+
+		case "github_pull_requests": {
+			// Get the GitHub installation for this organization
+			const installation = await db.query.githubInstallations.findFirst({
+				where: eq(githubInstallations.organizationId, organizationId),
+				columns: { id: true },
+			});
+
+			if (!installation) {
+				return { fragment: "1 = 0", params: [] };
+			}
+
+			// Get all repositories for this installation
+			const repos = await db.query.githubRepositories.findMany({
+				where: eq(githubRepositories.installationId, installation.id),
+				columns: { id: true },
+			});
+
+			if (repos.length === 0) {
+				return { fragment: "1 = 0", params: [] };
+			}
+
+			const repoIds = repos.map((r) => r.id);
+			const whereExpr = inArray(
+				sql`${sql.identifier(githubPullRequests.repositoryId.name)}`,
+				repoIds,
+			);
+			const qb = new QueryBuilder();
+			const { sql: query, params } = qb
+				.select()
+				.from(githubPullRequests)
+				.where(whereExpr)
+				.toSQL();
+			const fragment = query.replace(/^select .* from .* where\s+/i, "");
+			return { fragment, params };
+		}
+
 		case "auth.members":
 			return build(members, members.organizationId, organizationId);
 

diff --git a/apps/api/src/app/api/integrations/github/callback/route.ts b/apps/api/src/app/api/integrations/github/callback/route.ts
@@ -0,0 +1,137 @@
+import { db } from "@superset/db/client";
+import { githubInstallations } from "@superset/db/schema";
+import { Client } from "@upstash/qstash";
+import { z } from "zod";
+
+import { env } from "@/env";
+import { githubApp } from "../octokit";
+
+const qstash = new Client({ token: env.QSTASH_TOKEN });
+
+const stateSchema = z.object({
+	organizationId: z.string().min(1),
+	userId: z.string().min(1),
+});
+
+/**
+ * Callback handler for GitHub App installation.
+ * GitHub redirects here after the user installs/configures the app.
+ */
+export async function GET(request: Request) {
+	const url = new URL(request.url);
+	const installationId = url.searchParams.get("installation_id");
+	const setupAction = url.searchParams.get("setup_action");
+	const state = url.searchParams.get("state");
+
+	if (setupAction === "cancel") {
+		return Response.redirect(
+			`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=installation_cancelled`,
+		);
+	}
+
+	if (!installationId || !state) {
+		return Response.redirect(
+			`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=missing_params`,
+		);
+	}
+
+	const parsed = stateSchema.safeParse(
+		JSON.parse(Buffer.from(state, "base64url").toString("utf-8")),
+	);
+
+	if (!parsed.success) {
+		return Response.redirect(
+			`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=invalid_state`,
+		);
+	}
+
+	const { organizationId, userId } = parsed.data;
+
+	try {
+		const octokit = await githubApp.getInstallationOctokit(
+			Number(installationId),
+		);
+
+		const installationResult = await octokit
+			.request("GET /app/installations/{installation_id}", {
+				installation_id: Number(installationId),
+			})
+			.catch((error: Error) => {
+				console.error("[github/callback] Failed to fetch installation:", error);
+				return null;
+			});
+
+		if (!installationResult) {
+			return Response.redirect(
+				`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=installation_fetch_failed`,
+			);
+		}
+
+		const installation = installationResult.data;
+
+		// Extract account info - account can be User or Enterprise
+		const account = installation.account;
+		const accountLogin =
+			account && "login" in account ? account.login : (account?.name ?? "");
+		const accountType =
+			account && "type" in account ? account.type : "Organization";
+
+		// Save the installation to our database
+		const [savedInstallation] = await db
+			.insert(githubInstallations)
+			.values({
+				organizationId,
+				connectedByUserId: userId,
+				installationId: String(installation.id),
+				accountLogin,
+				accountType,
+				permissions: installation.permissions as Record<string, string>,
+			})
+			.onConflictDoUpdate({
+				target: [githubInstallations.organizationId],
+				set: {
+					connectedByUserId: userId,
+					installationId: String(installation.id),
+					accountLogin,
+					accountType,
+					permissions: installation.permissions as Record<string, string>,
+					suspended: false,
+					suspendedAt: null, // Clear suspension if reinstalling
+					updatedAt: new Date(),
+				},
+			})
+			.returning();
+
+		if (!savedInstallation) {
+			return Response.redirect(
+				`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=save_failed`,
+			);
+		}
+
+		// Queue initial sync job
+		try {
+			await qstash.publishJSON({
+				url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/github/jobs/initial-sync`,
+				body: {
+					installationDbId: savedInstallation.id,
+					organizationId,
+				},
+				retries: 3,
+			});
+		} catch (error) {
+			console.error("[github/callback] Failed to queue initial sync job:", error);
+			return Response.redirect(
+				`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?warning=sync_queue_failed`,
+			);
+		}
+
+		return Response.redirect(
+			`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?success=github_installed`,
+		);
+	} catch (error) {
+		console.error("[github/callback] Unexpected error:", error);
+		return Response.redirect(
+			`${env.NEXT_PUBLIC_WEB_URL}/settings/integrations?error=unexpected`,
+		);
+	}
+}
diff --git a/apps/api/src/app/api/integrations/github/install/route.ts b/apps/api/src/app/api/integrations/github/install/route.ts
@@ -0,0 +1,56 @@
+import { auth } from "@superset/auth/server";
+import { db } from "@superset/db/client";
+import { members } from "@superset/db/schema";
+import { and, eq } from "drizzle-orm";
+
+import { env } from "@/env";
+
+export async function GET(request: Request) {
+	const session = await auth.api.getSession({ headers: request.headers });
+
+	if (!session?.user) {
+		return Response.json({ error: "Unauthorized" }, { status: 401 });
+	}
+
+	const url = new URL(request.url);
+	const organizationId = url.searchParams.get("organizationId");
+
+	if (!organizationId) {
+		return Response.json(
+			{ error: "Missing organizationId parameter" },
+			{ status: 400 },
+		);
+	}
+
+	const membership = await db.query.members.findFirst({
+		where: and(
+			eq(members.organizationId, organizationId),
+			eq(members.userId, session.user.id),
+		),
+	});
+
+	if (!membership) {
+		return Response.json(
+			{ error: "User is not a member of this organization" },
+			{ status: 403 },
+		);
+	}
+
+	if (!env.GITHUB_APP_ID) {
+		return Response.json(
+			{ error: "GitHub App not configured" },
+			{ status: 500 },
+		);
+	}
+
+	const state = Buffer.from(
+		JSON.stringify({ organizationId, userId: session.user.id }),
+	).toString("base64url");
+
+	const installUrl = new URL(
+		`https://github.com/apps/superset-app/installations/new`,
+	);
+	installUrl.searchParams.set("state", state);
+
+	return Response.redirect(installUrl.toString());
+}