Runbook — Rotate the GitHub App private key
Rotate immediately if the key may have been exposed; otherwise rotate on your normal credential schedule.
Steps
Generate the new key. GitHub → Settings → Developer settings → GitHub Apps → your app → Private keys → Generate a private key. A
.pemdownloads; GitHub allows two active keys at once, so the old key keeps working during the swap.Update the Worker secret (from the repository root):
bashwrangler secret put GITHUB_APP_PRIVATE_KEY < downloaded-key.pemThe Worker converts PKCS#1 PEM to PKCS#8 itself — upload the file exactly as GitHub issued it.
Verify. Open Platform Health — the GitHub connection must show
activewith a fresh last success after the next sync tick, or trigger a manual discovery from Administration.GET /health/readymust stayok: truewithdemoMode: false.Revoke the old key. Back on the GitHub App page, delete the previous private key.
Clean up. Delete the downloaded
.pem. If you mirror the key in another secret store (e.g. a key vault), update it there too — the Worker only reads its own secret binding.
Rollback
If verification fails, the old key is still valid until you delete it — re-upload it with the same wrangler secret put command and investigate.