Skip to content
Latchkey

Backstage integrations GITHUB_TOKEN missing for catalog import in CI

The GitHub integration reads a token, usually ${GITHUB_TOKEN}, to fetch catalog-info.yaml and import repositories. Without it, unauthenticated requests hit low rate limits and cannot read private repos, so catalog reads fail.

What this error means

Catalog reads fail with "API rate limit exceeded" or 404 Not Found on private repositories, or a warning that the github integration has no token configured.

backstage
Unable to read url, Error: API rate limit exceeded for <ip>.
(But here's the good news: Authenticated requests get a higher rate limit.)
https://github.com/acme/private-repo/blob/main/catalog-info.yaml

Common causes

No token in the github integration config

integrations.github has no token, so requests are anonymous and quickly hit the unauthenticated rate limit.

The token env var is not exported to the step

app-config references ${GITHUB_TOKEN}, but the workflow did not map the secret into the step env.

How to fix it

Configure the integration token from a secret

  1. Reference the token in the github integration config.
  2. Export the secret into the step env.
  3. Re-run so authenticated reads succeed.
app-config.yaml
integrations:
  github:
    - host: github.com
      token: ${GITHUB_TOKEN}

Map the secret into the job env

Set GITHUB_TOKEN in the step env so config substitution resolves it. Use a token with read access to the target repos.

.github/workflows/ci.yml
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

How to prevent it

  • Always configure an integration token for GitHub reads.
  • Map the token secret into every job that reads the catalog.
  • Grant the token read access to the repositories you import.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →