feat: multiple GitHub Apps with per-app metrics observability

[Copilot]

A single GitHub App creates permission over-reach and rate limit pressure. This adds full multi-app support with per-app Prometheus metrics and Helm chart wiring for Kubernetes deployments.

Metrics evolution

Five metrics were missing the app label, making them useless in multi-app deployments:

Metric	Before	After
POLICY_LOADS_TOTAL	[backend, result]	[app, backend, result]
POLICY_CACHE_HITS	(no labels)	[app]
POLICY_CACHE_MISSES	(no labels)	[app]
GITHUB_API_CALLS	[endpoint, result]	[app, endpoint, result]
GITHUB_TOKEN_ISSUED	[scope, permissions]	[app, scope, permissions]

Callers in policy_loader.py, github_app.py, and rate_limit.py updated accordingly.

Helm chart: multi-app configuration

New github.apps map in values.yaml allows configuring multiple apps, each backed by its own Kubernetes Secret:

github:
  apps:
    minimal-app:
      appId: "12345"
      existingSecret: "minimal-app-github-credentials"
      secretPrivateKeyKey: "github-app-private-key"
    deploy-bot:
      appId: "67890"
      existingSecret: "deploy-bot-github-credentials"

When github.apps is non-empty:

• configmap.yaml renders an apps: block in the YAML config, with each app's private_key_path pointing to its mounted volume
• deployment.yaml adds a volumeMount per app at /etc/github-sts/apps/{appName}/, backed by a secret volume scoped via items: to only the private key file

The existing single-app env var path (github.appId + github.existingSecret) remains fully backward-compatible and can coexist with github.apps entries.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>feat: allow the possibility to have multiple GitHub App with different permission.</issue_title>
<issue_description>### Problem Statement

Currently the service will load on single GitHub App to handle the token creation and this cause limitation.

In certain specific contexts, it will be required to have a GitHub App with 'minimal' permission to ensure the users are not overreaching what the GitHub App should be able to do.

This should also allow less stress on the rate limit that are define per GitHub App.

Proposed Solution

Define multiple applications to be loaded with different name.

Where we could have .github/sts/github_app_1/identity_x.sts.yaml and .github/sts/github_app_2/identity_x.sts.yaml .

This would require to make an evolution of the metrics also to have metrics base on the application identification also.

Alternatives Considered

No response

Priority

Low - Nice to have

Additional Context

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes feat: allow the possibility to have multiple GitHub App with different permission. #15

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.