{"id":44135372,"url":"https://github.com/mitchellh/vouch","last_synced_at":"2026-02-24T19:03:55.932Z","repository":{"id":337123268,"uuid":"1150912706","full_name":"mitchellh/vouch","owner":"mitchellh","description":"A community trust management system based on explicit vouches to participate.","archived":false,"fork":false,"pushed_at":"2026-02-15T22:39:52.000Z","size":207,"stargazers_count":3024,"open_issues_count":8,"forks_count":45,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-02-16T04:42:21.038Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Nushell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitchellh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-05T20:50:58.000Z","updated_at":"2026-02-16T02:16:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mitchellh/vouch","commit_stats":null,"previous_names":["mitchellh/vouch"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/mitchellh/vouch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fvouch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fvouch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fvouch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fvouch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitchellh","download_url":"https://codeload.github.com/mitchellh/vouch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fvouch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29618463,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T13:04:20.082Z","status":"ssl_error","status_checked_at":"2026-02-19T13:03:33.775Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-08T23:15:43.356Z","updated_at":"2026-02-19T23:04:03.771Z","avatar_url":"https://github.com/mitchellh.png","language":"Nushell","readme":"\u003ch1 align=\"center\"\u003eVouch\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n A community trust management system.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"FAQ.md\"\u003eFAQ\u003c/a\u003e · \u003ca href=\"COOKBOOK.md\"\u003eCookbook\u003c/a\u003e · \u003ca href=\"CONTRIBUTING.md\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nPeople must be **vouched for** before\ninteracting with certain parts of a project (the exact parts are\nconfigurable to the project to enforce). People can also be explicitly\n**denounced** to block them from interacting with the project.\n\nThe implementation is generic and can be used by any project on any code forge,\nbut we provide **GitHub integration** out of the box via GitHub actions\nand the CLI.\n\nThe vouch list is maintained in a single flat file using a minimal format\nthat can be trivially parsed using standard POSIX tools and any programming\nlanguage without external libraries.\n\n**Vouch lists can also form a web of trust.** You can configure Vouch to\nread other project's lists of vouched or denounced users. This way,\nprojects with shared values can share their trust decisions with each other\nand create a larger, more comprehensive web of trust across the ecosystem.\nUsers already proven to be trustworthy in one project can automatically\nbe assumed trustworthy in another project, and so on.\n\n\u003e [!WARNING]\n\u003e\n\u003e This is an experimental system in use by [Ghostty](https://github.com/ghostty-org/ghostty).\n\u003e We'll continue to improve the system based on experience and feedback.\n\n## Why?\n\nOpen source has always worked on a system of _trust and verify_.\n\nHistorically, the effort required to understand a codebase, implement\na change, and submit that change for review was high enough that it\nnaturally filtered out many low quality contributions from unqualified people.\nFor over 20 years of my life, this was enough for my projects as well\nas enough for most others.\n\nUnfortunately, the landscape has changed particularly with the advent\nof AI tools that allow people to trivially create plausible-looking but\nextremely low-quality contributions with little to no true understanding.\nContributors can no longer be trusted based on the minimal barrier to entry\nto simply submit a change.\n\nBut, open source still works on trust! And every project has a definite\ngroup of trusted individuals (maintainers) and a larger group of probably\ntrusted individuals (active members of the community in any form). So,\nlet's move to an explicit trust model where trusted individuals can vouch\nfor others, and those vouched individuals can then contribute.\n\n## Who is Vouched?\n\n**Who** and **how** someone is vouched or denounced is left entirely up to the\nproject integrating the system. Additionally, **what** consequences\na vouched or denounced person has is also fully up to the project.\nImplement a policy that works for your project and community.\n\n## Usage\n\n### GitHub\n\nIntegrating vouch into a GitHub project is easy with the\n[provided GitHub Actions](https://github.com/mitchellh/vouch/tree/main/action).\nBy choosing which actions to use, you can fully control how\nusers are vouched and what they can or can't do.\n\nFor an example, look at this repository! It fully integrates vouch.\n\nBelow is a list of the actions and a brief description of their function.\nSee the linked README in the action directory for full usage details.\n\n| Action | Trigger | Description |\n| ------------------------------------------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| [check-issue](action/check-issue/README.md) | `issues` | Check if an issue author is vouched on open or reopen. Bots and collaborators with write access are automatically allowed. Optionally auto-close issues from unvouched or denounced users. |\n| [check-pr](action/check-pr/README.md) | `pull_request_target` | Check if a PR author is vouched on open or reopen. Bots and collaborators with write access are automatically allowed. Optionally auto-close PRs from unvouched or denounced users. |\n| [check-user](action/check-user/README.md) | Any | Check if a GitHub user is vouched. Outputs the user's status and fails the step by default if the user is not vouched. Set `allow-fail` to only report via output. |\n| [manage-by-discussion](action/manage-by-discussion/README.md) | `discussion_comment` | Let collaborators vouch, denounce, or unvouch users via discussion comments. Updates the vouched file and commits the change. |\n| [manage-by-issue](action/manage-by-issue/README.md) | `issue_comment` | Let collaborators vouch or denounce users via issue comments. Updates the vouched file and commits the change. |\n| [sync-codeowners](action/sync-codeowners/README.md) | Any | Sync CODEOWNERS owners into the vouch list by vouching missing users. |\n| [setup-vouch](action/setup-vouch/README.md) | Any | Install the `vouch` CLI on `PATH`. Nushell is installed automatically if not already available. |\n\n### CLI\n\nThe CLI is implemented as a Nushell module and only requires\nNushell to run. There are no other external dependencies.\n\n#### Integrated Help\n\nThis is Nushell, so you can get help on any command:\n\n```nu\nuse vouch *\nhelp add\nhelp check\nhelp denounce\nhelp gh-check-issue\nhelp gh-check-pr\nhelp gh-manage-by-issue\n```\n\n#### Local Commands\n\n**Check a user's vouch status:**\n\n```bash\nvouch check \u003cusername\u003e\n```\n\nExit codes: 0 = vouched, 1 = denounced, 2 = unknown.\n\n**Add a user to the vouched list:**\n\n```bash\n# Preview new file contents (default)\nvouch add someuser\n\n# Write the file in-place\nvouch add someuser --write\n```\n\n**Denounce a user:**\n\n```bash\n# Preview new file contents (default)\nvouch denounce badactor\n\n# With a reason\nvouch denounce badactor --reason \"Submitted AI slop\"\n\n# Write the file in-place\nvouch denounce badactor --write\n```\n\n#### GitHub Integration\n\nRequires the `GITHUB_TOKEN` environment variable. If not set and `gh`\nis available, the token from `gh auth token` is used.\n\n**Check if an issue author is vouched:**\n\n```bash\n# Check issue author status (dry run)\nvouch gh-check-issue 123 --repo owner/repo\n\n# Auto-close unvouched issues (dry run)\nvouch gh-check-issue 123 --repo owner/repo --auto-close\n\n# Actually close unvouched issues\nvouch gh-check-issue 123 --repo owner/repo --auto-close --dry-run=false\n\n# Allow unvouched users, only block denounced\nvouch gh-check-issue 123 --repo owner/repo --require-vouch=false --auto-close\n```\n\nOutputs status: `skipped` (bot/collaborator), `vouched`, `allowed`, or `closed`.\n\n**Check if a PR author is vouched:**\n\n```bash\n# Check PR author status (dry run)\nvouch gh-check-pr 123 --repo owner/repo\n\n# Auto-close unvouched PRs (dry run)\nvouch gh-check-pr 123 --repo owner/repo --auto-close\n\n# Actually close unvouched PRs\nvouch gh-check-pr 123 --repo owner/repo --auto-close --dry-run=false\n\n# Allow unvouched users, only block denounced\nvouch gh-check-pr 123 --repo owner/repo --require-vouch=false --auto-close\n```\n\nOutputs status: `skipped` (bot/collaborator), `vouched`, `allowed`, or `closed`.\n\n**Manage contributor status via issue comments:**\n\n```bash\n# Dry run (default)\nvouch gh-manage-by-issue 123 456789 --repo owner/repo\n\n# Actually perform the action\nvouch gh-manage-by-issue 123 456789 --repo owner/repo --dry-run=false\n```\n\nResponds to comments from collaborators with sufficient role\n(admin, maintain, write, or triage by default):\n\n- `vouch` — vouches for the issue author\n- `vouch @user` — vouches for a specific user\n- `vouch \u003creason\u003e` — vouches for the issue author with a reason\n- `vouch @user \u003creason\u003e` — vouches for a specific user with a reason\n- `denounce` — denounces the issue author\n- `denounce @user` — denounces a specific user\n- `denounce \u003creason\u003e` — denounces the issue author with a reason\n- `denounce @user \u003creason\u003e` — denounces a specific user with a reason\n\nKeywords are customizable via `--vouch-keyword` and `--denounce-keyword`.\nYou can also allow specific managers listed in a separate VOUCHED file\nvia `--vouched-managers`.\n\nOutputs status: `vouched`, `denounced`, or `unchanged`.\n\n### Library\n\nThe module also exports a `lib` submodule for scripting:\n\n```nu\nuse vouch/lib.nu *\n\nlet records = open VOUCHED.td\n$records | check-user \"mitchellh\" --default-platform github # \"vouched\", \"denounced\", or \"unknown\"\n$records | add-user \"newuser\" # returns updated table\n$records | denounce-user \"badactor\" \"reason\" # returns updated table\n$records | remove-user \"olduser\" # returns updated table\n```\n\n## Vouched File Format\n\nThe vouch list is stored in a `.td` file. See\n[VOUCHED.example.td](VOUCHED.example.td) for an example. The file is\nlooked up at `VOUCHED.td` or `.github/VOUCHED.td` by default.\n\n```\n# Comments start with #\nusername\nplatform:username\n-platform:denounced-user\n-platform:denounced-user reason for denouncement\n```\n\n- One handle per line (without `@`), sorted alphabetically.\n- Optionally specify a platform prefix: `platform:username` (e.g., `github:mitchellh`).\n- Denounce a user by prefixing with `-`.\n- Optionally add details after a space following the handle.\n\nThe `from td` and `to td` commands are exported by the module, so\nNushell's `open` command works natively with `.td` files to decode\ninto structured tables and encode back to the file format with\ncomments and whitespace preserved.\n\n\u003e [!NOTE]\n\u003e\n\u003e **What is `.td`?** This stands for \"Trustdown,\" a play on the\n\u003e word \"Markdown.\" I intend to formalize a specification for trust\n\u003e lists (with no opinion on how they're created or used) so that software\n\u003e systems like this Vouch project and others can coordinate with each\n\u003e other. I'm not ready to publish a specification until vouch itself\n\u003e stabilizes usage more.\n","funding_links":[],"categories":["Nushell","Scripts"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitchellh%2Fvouch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitchellh%2Fvouch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitchellh%2Fvouch/lists"}