Provider integrations
Connect Slack, GitHub, and runner-side credentials without giving agents broad provider authority.
Provider integrations turn outside events and approved side effects into workflow receipts. They are not a reason to hand raw organization credentials to an agent process.
Integration Status
| Integration | Status | First-run guidance | Notes |
|---|---|---|---|
| GitHub App | Available | Yes | Use one sandbox or low-risk team repository first. |
| Slack OAuth | Available | Yes | Use one narrow launch channel first, then expand after the route is working. |
Self-hosted vpd worker | Available | Yes | Runs agent work from customer-controlled infrastructure. |
| Viewport-managed cloud runners | Coming soon | Optional | For teams that do not want to operate their own worker. |
| Linear | Beta | After GitHub/Slack | Reconnect before relying on it for a customer workflow. |
| Jira | Early access | After GitHub/Slack | Use only when your workspace has it enabled. |
| Notion/Confluence | Later | No | Treat as a future context/update path, not a launch requirement. |
For the first run, keep the provider set narrow: one repository, one Slack channel, one worker, one policy. Expand after the team can see a complete run detail page with approvals, receipts, and audit entries.
Slack
Connect Slack from Settings -> Integrations -> Slack. Pick a default channel for workflow notifications or configure a workflow-specific channel.
Slack messages should be treated as summaries. The run detail in Viewport is the source of truth for approvals, receipts, artifacts, and audit.
For Slack-triggered routes, keep the first launch channel narrow and verify one source-thread completion before broadening to more channels.
GitHub
Install the Viewport GitHub App only on the repos the workflow may touch. For a first run, use a sandbox or team-owned repository.
Recommended first grant:
- read repository metadata/code for the selected repo;
- create a branch;
- open a pull request;
- comment on the pull request.
Do not start by allowing direct pushes to protected branches, merges, or repo admin operations.
First-Repo Walkthrough
Use one repository first. The goal is to prove checkout, bounded branch publish, PR creation, and receipt capture without broad org access.
-
Install the Viewport GitHub App on one sandbox or low-risk team repository.
-
Commit
.viewport/policy.yamland one route file in that repository. -
Keep the policy branch boundary narrow:
repos: - repo: acme/sandbox access: read-write credential: brokered branches: push_allowed: ["agent/**"] restricted: ["main", "release/**"] -
Run
vpd check .from the repository root. -
Push the
.viewport/commit and confirm GitOps sync shows the new SHA. -
Start the paired worker and trigger one small route.
-
Approve the plan gate in Viewport.
-
Confirm the worker publishes an
agent/**branch. -
Confirm GitHub shows a PR from that branch.
-
Confirm run detail shows the GitHub provider receipt with PR URL.
For a GitHub-triggered first proof, use a minimal route like:
route:
name: github-pr-review
team: platform
trigger:
integration: github
events: ["pull_request.*"]
conditions:
repo: acme/sandbox
policy:
source: git
repo: acme/sandbox
ref: main
path: .viewport/policy.yamlFor a Slack-triggered first proof that opens a GitHub PR, the Slack route can still use the same GitHub repo policy and branch boundary. The trigger provider does not change the GitHub side-effect evidence requirement.
GitHub Evidence Checklist
After the first GitHub-backed run, run detail should show:
- repository slug and synced Git SHA for the policy;
- brokered checkout or repo preparation receipt;
- branch name under the allowed pattern;
- implementation/test node result;
- GitHub PR number and URL;
- provider receipt id/status;
- credential or integration label, not a raw GitHub token;
- failure copy if checkout, branch publish, or PR creation failed.
GitHub itself should show:
- PR source branch matching the allowed pattern;
- target branch that is not directly pushed by the worker;
- Viewport-authored PR body or comment linking back to run evidence;
- no unexpected write to protected branches.
If GitHub has a PR but Viewport has no provider receipt, the run evidence is incomplete. If Viewport has a failed receipt and GitHub has no PR, use the receipt failure copy before changing app permissions.
Worker Credentials
Self-hosted workers may hold local model keys, package registry tokens, and repo checkout credentials. Keep them local unless a workflow explicitly requires a brokered provider action.
The worker can claim work and report evidence. Provider writes still require the server-issued workflow authority, approval state, and named provider grant.
Linear And Other Sources
Linear/Jira/webhook events should be introduced after the first Slack/GitHub proof. Before enabling live intake:
- verify webhook signing;
- dry-run route matching;
- confirm the active team owns the workflow;
- confirm denial behavior for unmatched or unauthorized events.
Proving A New Provider
A provider becomes live-proven for a workspace only when one small run shows:
- the integration can authenticate without engineer intervention;
- route or trigger delivery reaches Viewport;
- the worker can claim and execute the governed run;
- the side effect is approved or explicitly allowed by policy;
- the external object URL or provider reference is stored as a receipt;
- failure copy is understandable when the provider denies the action.
Record the run id, provider receipt id, external URL/permalink, and any scoped credential ref. Do not record raw access tokens.
Support Checklist
When an integration fails, collect:
- workspace id and team id;
- workflow id and run id;
- provider connection name;
- runner name;
- denial code or receipt id;
- sanitized
vpd worker doctor --json.
Do not share raw provider tokens, worker private keys, pairing codes, bootstrap tokens, or lease tokens.