When an agent builds a web page, a Next.js or Vue project, or any code for you, it can publish that project to your own GitHub with one instruction (for example, "push this to a new repo called acme-site"). To enable it, connect a GitHub Personal Access Token (PAT) once.
Step 1 — Create a token on GitHub (use a Classic token)
Use a Classic personal access token — it's the simplest to scope correctly for everything Ambrose does (create repos, push code, push workflow files, and packages).
- Sign in to github.com.
- Open the new-token page directly: https://github.com/settings/tokens/new (this is Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic)).
- Give it a Note (e.g. "Ambrose") and set an Expiration.
- Tick these scopes:
repo— full control of repositories (read + write code, create repos). Required.workflow— lets Ambrose push GitHub Actions workflow files (.github/workflows/…).write:packages— publish packages (under write:packages).admin:org→write:org— create/manage repos inside an organization you own. (Skip if you only push to your personal account.)
- Click Generate token and copy it now — GitHub shows it only once. A classic token looks like
ghp_….
github_pat_…. Classic is recommended for simplicity.Step 2 — Save it in Ambrose
- Open Settings → Keys in Ambrose.
- Find the GitHub card, paste your token into Personal Access Token, and click Save.
The token is stored encrypted and scoped to your agency only — no other agency can use or see it.
Step 3 — Use it
In chat or the War Room, ask an agent to push a project, for example: "Create a simple landing page for my agency and push it to a new private repo called acme-landing." The agent builds the files, creates the repo if needed, pushes them as one commit, and hands you the repo and commit links.
Two tools become available to any agent/team that has the github spoke enabled (and they work over a published team MCP too):
github_list_repos— lists the repos your token can see, to help pick a target.github_push— pushes the agent's workspace (or specific files) toowner/repo@branchas one commit, creating the repo first if it doesn't exist.
Good to know
- Scope: a classic token with
repocovers reading/writing code and creating repos. Addworkflowto push.github/workflowsfiles,write:packagesto publish packages, andwrite:org(underadmin:org) to create repos inside an organization. - Expiration: if you set an expiry, re-paste a new token when it lapses.
- Org repos: Ambrose can push to an existing
org/repoyour token can access; it only auto-creates repos under your own account. - Security: the token is stored as a secret, scoped to your agency only — it is never returned to the UI (only a "saved" flag + last 4 chars). Revoke it anytime on GitHub to instantly cut access.
Troubleshooting
- "Save failed" — make sure you pasted the token value (starts with
ghp_orgithub_pat_), not the token's name or URL. Generate a fresh one if you're unsure — GitHub only shows the value once. - Agent says "No GitHub token connected" — the token didn't save, or it was saved for a different agency. Re-open Settings → Keys, confirm the GitHub card shows Saved, and save again.
- Push rejected — the token is missing scope. Generate a classic token at github.com/settings/tokens/new with
repo(+workflowfor Actions files,write:packagesfor packages,write:orgfor org repos).