GitHub Enterprise

Buildkite can connect to your GitHub Enterprise Server and use the Commit Status API to update the status of commits in Pull Requests.

Step 1: Register Buildkite as an OAuth App

This guide was written using GitHub Enterprise version 2.16.3. Earlier or later versions may have different menus and headings for the OAuth app registration. All of the Buildkite settings will remain the same.

In your GitHub Enterprise organization settings, select OAuth Apps under Developer Settings:

Screenshot of the OAuth Apps Page in the Developer Settings Menu

Select Register an application. Fill out the form with the following values:

  • Name: Buildkite
  • URL:
  • Callback URL:
Screenshot of the form to Register an OAuth Application

Select Register application at the bottom of the form.

After successfully registering your application, you can optionally add a logo to your app. Here is a pre-cropped image you can use:

Buildkite Logo

Make a note of your Client ID and Client Secret, you will need those to connect your GitHub Enterprise Server with Buildkite in the next step.

Screenshot of the Client ID and Client Secret section of the Buildkite OAuth App settings page

Step 2: Update your Buildkite organization settings

  1. Open your Buildkite organization's Settings and choose Repository Providers
  2. Click GitHub Enterprise Server and enter

    • The URL and public proxy URL of your GitHub Enterprise Server
    • The Client ID and Client Secret from the GitHub OAuth App you created in Step 1
  3. If you're using self-signed certificates, make sure the Verify TLS Certificate checkbox is not checked.

Select Save GitHub Enterprise Settings to save your settings. After saving, the Secret field appears blank - Buildkite has saved it, and will not display it.

Screenshot of the GitHub Enterprise settings section in Buildkite

You can optionally supply a TLS certificate pair to be used by Buildkite as a client certificate when contacting your GitHub Enterprise endpoints.

Screenshot of the TLS client settings section of the GitHub Enterprise settings in Buildkite

Step 3: Connect your GitHub Enterprise account to Buildkite

For Buildkite to mark commits and pull requests as pass or fail, you'll need to authorize your GitHub Enterprise user account with Buildkite.

In your Buildkite Personal Settings, click on the Connected Apps menu item. Here you'll see your GitHub Enterprise Server along with any other connected apps. Select Connect:

Screenshot of the Connected Apps page in Buildkite Personal Settings with the GitHub Enterprise App

Buildkite redirects you back to your GitHub Enterprise Server, where it will ask you to authorize your new Buildkite OAuth app to use your GitHub Enterprise account. Select Authorize to complete your setup:

Screenshot of the Authorization page in GitHub Enterprise

That's it! Next time you create a pipeline with a repository that's either or, Buildkite will recognize that it's hosted on your GitHub Enterprise Server, and use your newly created OAuth authorization to update the commit statuses.

Firewalled installs

If your GitHub Enterprise is behind a firewall you’ll need to allow Buildkite’s IP address so we can perform OAuth authentications use GitHub Enterprise API to update your pull request statuses.

All Buildkite network traffic to your GitHub Enterprise Server will come from the following IP address: Please configure your network to allow traffic from this IP address.

For additional security you can create a proxy which allows only the API endpoints we require:

  • /api/v3/repos/.*/.*/statuses
  • /api/v3/user
  • /login/oauth

The following is an example NGINX server configuration that proxies the required URLs and can be used with the "Public API URL" GitHub Enterprise setting in Buildkite:

daemon off;

events {
  worker_connections 1024;

http {

  server {
    listen 443 ssl;

    location / {
      deny all;

    location ~ ^/api/v3/repos/.*/.*/statuses {
      proxy_pass https://ghe.internal:443;

    location /api/v3/user {
      proxy_pass https://ghe.internal:443;

    location /login/oauth {
      proxy_pass https://ghe.internal:443;