{"id":19909062,"url":"https://github.com/dyne/scorsh","last_synced_at":"2025-10-26T07:36:51.592Z","repository":{"id":141086453,"uuid":"96463722","full_name":"dyne/scorsh","owner":"dyne","description":"Signed-Commit Remote Shell - authenticated trigger for remote execution via Git","archived":false,"fork":false,"pushed_at":"2017-10-03T09:06:36.000Z","size":147,"stargazers_count":9,"open_issues_count":0,"forks_count":4,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-05-03T02:38:44.887Z","etag":null,"topics":["authentication","authorization","git","gpg","remote-control","script","spool","trigger"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dyne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-07-06T19:10:28.000Z","updated_at":"2021-02-08T12:17:59.000Z","dependencies_parsed_at":"2023-03-17T15:00:32.497Z","dependency_job_id":null,"html_url":"https://github.com/dyne/scorsh","commit_stats":{"total_commits":44,"total_committers":3,"mean_commits":"14.666666666666666","dds":"0.11363636363636365","last_synced_commit":"a5f0a419bffe9c984bc5ecde15b92f9b27080dfa"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dyne/scorsh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dyne%2Fscorsh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dyne%2Fscorsh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dyne%2Fscorsh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dyne%2Fscorsh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dyne","download_url":"https://codeload.github.com/dyne/scorsh/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dyne%2Fscorsh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281074239,"owners_count":26439421,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-26T02:00:06.575Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","git","gpg","remote-control","script","spool","trigger"],"created_at":"2024-11-12T21:14:17.003Z","updated_at":"2025-10-26T07:36:51.573Z","avatar_url":"https://github.com/dyne.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Signed-Commit Remote Shell\n\n![scorsh logo](https://github.com/dyne/scorsh/blob/master/doc/scorsh-logo-600px.png)\n\n**scorsh** lets you trigger commands on a remote **git** server through commits, optionally signed with **gnupg**.\n\n**scorsh** is written in Go. \n\n\n## Why scorsh\n\n...if you have ever felt that git hooks fall too short to your standards...\n\n...because you would like each specific push event to trigger _something\ndifferent_ on the git repo...\n\n..and you want only authorised users to be able to trigger that\n_something_...\n\n...then **scorsh** might be what you have been looking for. \n\n**scorsh** is a simple system to execute commands on a remote host by\nusing git commits containing customisable commands\n(scorsh-tags) that can be authenticated using a gnupg signature . **scorsh** consists of three components:\n\n* the `scorsh-commit` executable (client-side)\n\n* a `post-receive` git hook\n\n* the `scorshd` binary itself (server-side)\n\nThe `scorsh-commit` executable is used to inject scorsh-commands in a\nregular gpg-signed git commit. \n\nFor each new push event, the `post-receive` hook creates a file in a\nconfigurable spool directory, containing information about the repo,\nbranch, and commits of the push.\n\nThe `scorshd` binary processes inotify events from the spool, parses\neach new file there, walks through the new commits looking for signed\nones, checks if the message of a signed commit contains a recognised\nscorsh-command, verifies that the user who signed the message is\nallowed to use that scorsh-command, and executes the actions\nassociated to the scorsh-command. \n\nThe set of scorsh-commands accepted on a repo/branch is configurable,\nand each scorsh-command can be associated to a list of\nactions. Actions are just URLs, at the moment restricted to two\npossible types:\n\n* `file://path/to/file` - in this case `scorsh` tries to execute the\n  corresponding file (useful to execute scripts)\n  \n* `http://myserver.com/where/you/like` - in this case `scorsh` makes an\n  HTTP request to the specified URL (useful to trigger other actions,\n  e.g., Jenkins or Travis builds -- **currently not working**)\n  \n\n\n## Build notes\n\n**scorsh** depends on the availability of a native build of `libgit2`\nversion `0.26` or greater on the native system where ***scorsh** is\nbuilt. This dependencies is easily satisfied on various operating\nsystems by using their respective package manager. For instance in\nDevuan ASCII one can simply do:\n\n```\nsudo apt install libgit2-dev\n```\n\nIn most distributions unfortunately `libgit2` is older than `0.26` so\none should first build this exact release version from source,\navailable\nhere:\n[https://github.com/libgit2/libgit2/releases/tag/v0.26.0](libgit2 release 0.26)\n\nThen proceed installing dependencies for **scorsh**:\n```\nmake deps\n```\n\nAnd finally build its binary:\n```\nmake\n```\n\n## Configuration walkthrough (DRAFT)\n\n`scorshd` reads its configuration from a yaml file, normally passed on\nthe command line through the option `-c CFG_FILE`. An example is the\nfollowing:\n\n```\n---\ns_spooldir: \"./spool\"\ns_logfile: \"./scorsh.log\"\ns_logprefix: \"[scorsh]\"\n\ns_workers:\n  [\n     {\n       w_name: worker1,\n       w_repos: [\".*:.*\"], # All branches in all repos\n       w_folder: ./worker1,\n       w_logfile: ./worker1/worker1.log,\n       w_cfgfile: \"./worker1/worker1.cfg\",\n     },\n     {\n       w_name: worker2,\n       w_repos: [\".*:master\"], # Branch master in all repos\n       w_folder: ./worker2,\n       w_logfile: ./worker2/worker2.log,\n       w_cfgfile: \"./worker2/worker2.cfg\",\n     }\n]\n...\n\n```\n\nThis files defines two workers. Each worker is associated to a pair of\n`repo:branch` regexps. A worker will be activated only on pushes made\non a matching `repo:branch`. Each worker has a configuration file\n`w_cfgfile`, where the list of accepted scorsh-commands is\ndefined. For instance, for `worker1` we could have:\n\n```\n---\nw_commands:\n    [\n     {\n       c_name: \"LOG\",\n       c_keyrings: [\"allowed_users.asc\"],\n       c_actions: [\n                    {\n                     a_url: \"file:///home/katolaz/bin/scorsh_script_log.sh\"\n                    }\n                   ]\n      },\n     {\n       c_name: \"build\",\n       c_keyrings: [\"allowed_users.asc\"],\n       c_actions: [\n                    {\n                     a_url: \"file:///home/katolaz/bin/scorsh_script.sh\",\n                     a_hash: \"c129d4a12998c44dfb9a9fd61ec3159bf29606e0f7280f28bbd98fc6f972fa27\"\n                    }\n                   ]\n      },\n     {\n      c_name: \"preview\",\n      c_keyrings: [\"allowed_users.asc\"],\n      c_actions: [\n                  {\n                  a_url: \"file:///home/katolaz/bin/scorsh_preview.sh\"\n                  }\n                 ]\n     }\n      \n    ]\n...\n```\n\nIn this example, `worker1` has three configured scorsh-commands,\nnamely `LOG`, `build`, and `preview`.  Commands are\n*case-sensitive*. Each command is associated to a list of keyblocks\n(containg the public keys of the users allowed to run that command),\nand to a list of actions. \n\n**TBC**\n\n## License\n\n**scorsh** is Copyright (2017) by Vincenzo \"KatolaZ\" Nicosia.\n\n**scorsh** is free software. You can use, modify, and redistribute it\n  under the terms of the GNU Affero General Public Licence, version 3\n  of the Licence or, at your option, any later version. Please see\n  LICENSE.md for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdyne%2Fscorsh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdyne%2Fscorsh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdyne%2Fscorsh/lists"}