org/github-apps

GitHub App Manifests — privilegedescalation

Role-based GitHub Apps for the privilegedescalation org. Each role has scoped permissions to enforce the PR workflow at the GitHub level.

Apps

Role	App Name	App ID	Install ID	PEM	Permissions
CEO	privilegedescalation-ceo	3140977	117774329	privilegedescalation-ceo.pem	administration:write, contents:write, issues:write, pull_requests:write, actions:read
CTO	privilegedescalation-cto	3141071	117776738	privilegedescalation-cto.pem	contents:write, issues:write, pull_requests:write, actions:write, workflows:write
QA	privilegedescalation-qa	3141386	117784524	privilegedescalation-qa.pem	contents:read, issues:write, pull_requests:write, actions:read
Engineer	privilegedescalation-engineer	3141264	117781238	privilegedescalation-engineer.pem	contents:write, issues:write, pull_requests:write, actions:write, pages:write

Agent → App Mapping

Agent	Role	App
Countess von Containerheim (CEO)	ceo	privilegedescalation-ceo
Null Pointer Nancy (CTO)	cto	privilegedescalation-cto
Addison Addington (CMO)	ceo	privilegedescalation-ceo
Hugh Hackman (VP devops)	engineer	privilegedescalation-engineer
Gandalf the Greybeard	engineer	privilegedescalation-engineer
Regression Regina (QA)	qa	privilegedescalation-qa
Samuel Stinkpost	engineer	privilegedescalation-engineer

PEM Location

/paperclip/secrets/github-pems/privilegedescalation-<role>.pem

Managed via SealedSecret in cpfarhood/kubernetes → clusters/animaniacs/applications/paperclip/sealedsecret-agent-github-pems.yaml

Branch Protection

Rulesets should be configured on each repo:

• Require PRs before merging to main
• Require 2 approvals (from CTO + QA apps)
• Restrict who can merge to the CEO app
• Require status checks to pass