When an agent builds a web page, a Next.js or Vue project, or any code for you, it can publish that project to your own GitHub with one instruction (for example, "push this to a new repo called acme-site"). To enable it, connect a GitHub Personal Access Token (PAT) once.

Step 1 — Create a token on GitHub (use a Classic token)

Use a Classic personal access token — it's the simplest to scope correctly for everything Ambrose does (create repos, push code, push workflow files, and packages).

  1. Sign in to github.com.
  2. Open the new-token page directly: https://github.com/settings/tokens/new (this is Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic)).
  3. Give it a Note (e.g. "Ambrose") and set an Expiration.
  4. Tick these scopes:
    • repo — full control of repositories (read + write code, create repos). Required.
    • workflow — lets Ambrose push GitHub Actions workflow files (.github/workflows/…).
    • write:packages — publish packages (under write:packages).
    • admin:orgwrite:org — create/manage repos inside an organization you own. (Skip if you only push to your personal account.)
  5. Click Generate token and copy it now — GitHub shows it only once. A classic token looks like ghp_….
Fine-grained alternative. If your org requires fine-grained tokens, that works too — grant Repository permissions: Contents: Read and write, Administration: Read and write (to create repos), Workflows: Read and write, and (for packages) the relevant package permission. A fine-grained token looks like github_pat_…. Classic is recommended for simplicity.

Step 2 — Save it in Ambrose

  1. Open Settings → Keys in Ambrose.
  2. Find the GitHub card, paste your token into Personal Access Token, and click Save.

The token is stored encrypted and scoped to your agency only — no other agency can use or see it.

Step 3 — Use it

In chat or the War Room, ask an agent to push a project, for example: "Create a simple landing page for my agency and push it to a new private repo called acme-landing." The agent builds the files, creates the repo if needed, pushes them as one commit, and hands you the repo and commit links.

Two tools become available to any agent/team that has the github spoke enabled (and they work over a published team MCP too):

  • github_list_repos — lists the repos your token can see, to help pick a target.
  • github_push — pushes the agent's workspace (or specific files) to owner/repo@branch as one commit, creating the repo first if it doesn't exist.

Good to know

  • Scope: a classic token with repo covers reading/writing code and creating repos. Add workflow to push .github/workflows files, write:packages to publish packages, and write:org (under admin:org) to create repos inside an organization.
  • Expiration: if you set an expiry, re-paste a new token when it lapses.
  • Org repos: Ambrose can push to an existing org/repo your token can access; it only auto-creates repos under your own account.
  • Security: the token is stored as a secret, scoped to your agency only — it is never returned to the UI (only a "saved" flag + last 4 chars). Revoke it anytime on GitHub to instantly cut access.

Troubleshooting

  • "Save failed" — make sure you pasted the token value (starts with ghp_ or github_pat_), not the token's name or URL. Generate a fresh one if you're unsure — GitHub only shows the value once.
  • Agent says "No GitHub token connected" — the token didn't save, or it was saved for a different agency. Re-open Settings → Keys, confirm the GitHub card shows Saved, and save again.
  • Push rejected — the token is missing scope. Generate a classic token at github.com/settings/tokens/new with repo (+ workflow for Actions files, write:packages for packages, write:org for org repos).