{"id":31940447,"url":"https://github.com/religiosa1/git-webhook-receiver","last_synced_at":"2026-04-19T14:34:43.013Z","repository":{"id":257791368,"uuid":"775983449","full_name":"religiosa1/git-webhook-receiver","owner":"religiosa1","description":"git webhook receiver","archived":false,"fork":false,"pushed_at":"2026-04-13T21:17:19.000Z","size":256,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-04-13T21:29:39.607Z","etag":null,"topics":["git","gitea","github","pipeline","webhook"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/religiosa1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-03-22T12:51:19.000Z","updated_at":"2026-04-13T21:17:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"7faf2cb0-2de3-4233-b7f2-26e8c4512471","html_url":"https://github.com/religiosa1/git-webhook-receiver","commit_stats":null,"previous_names":["religiosa1/git-webhook-receiver"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/religiosa1/git-webhook-receiver","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/religiosa1%2Fgit-webhook-receiver","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/religiosa1%2Fgit-webhook-receiver/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/religiosa1%2Fgit-webhook-receiver/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/religiosa1%2Fgit-webhook-receiver/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/religiosa1","download_url":"https://codeload.github.com/religiosa1/git-webhook-receiver/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/religiosa1%2Fgit-webhook-receiver/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32009984,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"online","status_checked_at":"2026-04-19T02:00:07.110Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","gitea","github","pipeline","webhook"],"created_at":"2025-10-14T08:53:22.332Z","updated_at":"2026-04-19T14:34:42.999Z","avatar_url":"https://github.com/religiosa1.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# git webhook receiver\n\nA small service that listens for incoming webhook HTTP POST requests from a Git\nprovider (Gitea, GitHub, GitLab) for one or more projects and runs a given\nscript in response to matching webhook events.\n\nIts intended use is to run CI/CD scripts on a server, but it can be used to\nexecute arbitrary actions on Git events.\n\nIn a nutshell:\n\n- [Deploy](#installation) it to your server.\n- (Optional but recommended) Install an SSL certificate or wrap it with a\n [reverse proxy](./docs/ssl-or-nginx-setup.md#nginx-configuration), such as\n Nginx or Caddy, to enable encryption.\n- Create a [config file](#config-file) and add your projects along with their\n corresponding build scripts/actions, either as standalone scripts or\n [cross-platform inline scripts](#inline-scripts-and-standalone-scripts)\n- Optional: add the app to your server startup scripts (systemd scripts\n setup is described [in this document](./docs/systemd-init-script.md))\n- set webhooks for those repo in their git services (Github, Gitea, Gitlab,\n etc.) to post to {YOUR_HOST}/projects/{PROJECT_NAME}. Information on how to\n setup github webhooks for your project can be found\n in [this document](./docs/github-webhooks-setup.md).\n- Start the service. It will listen for the webhook posts and execute the\n actions described in the config (e.g., building your projects or performing\n other tasks) when the webhooks are triggered by Git.\n\nWIP, but operational. Some planned MVP functionality is still missing and there\nwill be breaking changes before version 1.0 release.\n\n## Config file\n\nThe app requires a config file to start. By default, the config file is read\nfrom `./config.yml`. You can override this behavior by setting `CONFIG_PATH` env\nvariable or by using `--config` flag when launching the app (the flag takes\nprecedence).\n\nA typical config file may look like this:\n\n```yaml\n# provide it through env API_PASSWORD, if you don't want it readable in config\napi_password: \"password for inspection api basic auth\"\nprojects:\n my_awesome_project:\n repo: \"username/reponame\"\n # generate it with `openssl rand -base64 42`\n # to supply through env: PROJECTS__my_awesome_project__SECRET=foo\n secret: \"YourSecretGoesHere\"\n actions:\n - on: push\n branch: main\n user: www-data # requires elevated permissions, consider if you need it\n cwd: \"/var/www/default\"\n script: |\n git fetch \u0026\u0026 git reset --hard origin/main\n npm ci\n npm run build\n my_other_project:\n repo: \"username/reponame2\"\n secret: \"YourSecretGoesHere\"\n # to supply through env: PROJECTS__my_other_project__AUTH=foo\n auth: \"Your Authorization header key if you want\"\n provider: gitea\n actions:\n - cwd: \"/var/www/backend\" # Anything besides `script` or `run` is optional\n run: [\"sh\", \"./build.sh\"]\n```\n\nPlease refer to the [config file example](./config.example.yml) in this repo, to\nsee a list of all available configuration options.\n\nFor security reason, it's recommended to always provide a `secret` or at least\n`authorization` param (in case of Gitea or Gitlab providers) for every action.\nThe `secret` also protects against MiM attacks, ensuring that the payload\nhasn't been tampered with.\n\nGitlab currently\n[doesn't sign](https://gitlab.com/gitlab-org/gitlab/-/issues/19367) its\nrequests, so only `authorization` is available for gitlab receivers,\nwhile Github only supports request signature and not authorization\nheaders, so only `secret` for Github receivers. Gitea supports both\nauthorization and signature verification.\n\nMost of the config values can be provided via ENV variables. Please consider\nif it makes sense for your application to provide secrets in this manner.\n\n### Supported git providers\n\n| Provider | Can Authorize requests | Can Sign payload | Has Ping |\n| -------- | ---------------------- | ---------------- | -------- |\n| github | false | true | true |\n| gitea | true | true[^1] | false |\n| gitlab | true | false | false |\n\nAuthorize means capability to provide Authorization header, which is then\nverified by the service.\n\nSign payload is basically the same thing, but the whole payload is signed as a\nmeasure to secure against payload MiM tampering.\n\nGitlab doesn't support payload signature, as per this [issue](https://gitlab.com/gitlab-org/gitlab/-/issues/19367)\n\n[^1]:\n Can be insecure on plain http connections on gitea 1.14 or older because\n of [this issue](https://github.com/go-gitea/gitea/issues/11755)\n\n## Installation\n\n### Build from source\n\nTo build the app, you need [go](https://go.dev/) version 1.26.2 or higher.\nSince the app stores action outputs and logs in an SQLite3 database via\n[go-sqlite3](https://github.com/mattn/go-sqlite3) you also need a `gcc`\ncompiler installed on your system and have `CGO_ENABLED=1` env variable set.\n\n```sh\ngo install github.com/religiosa1/git-webhook-receiver@latest\n```\n\nOr you can clone the repo, and run the following command in its root dir:\n\n```sh\ngo build\n```\n\nPlease refer to the [docs/systemd-init-script.md](./docs/systemd-init-script.md)\nfor an example of a system.d script, that can be used to launch the\nservice at startup.\n\n## SSL\n\nIt’s recommended to use SSL so that your requests are encrypted.\nIf you have an HTTP server such as Nginx or Caddy, you can use it to provide\na reverse proxy with SSL support.\n\nInformation on how to configure nginx + [certbot](https://certbot.eff.org/)\ncan be found [here](./docs/ssl-or-nginx-setup.md).\n\nIf you don’t have an HTTP server available, you can use the internal SSL\nfunctionality by providing the certificate and key files in the corresponding\nconfig fields.\n\n## Inline scripts and standalone scripts\n\nInline scripts are processed using the [mdvan/sh](https://github.com/mvdan/sh)\ninterpreter to ensure they are cross-platform (in other words, they work on\nWindows). These scripts are intended to be simple one- or multi-line bash-like\ncommands, such as \"clone and run the build task.\"\n\nExample:\n\n```yaml\nscript: |\n git fetch \u0026\u0026 git reset --hard origin/master\n npm ci\n npm run build\n```\n\nIf you need something more complicated, it's probably better to use `run` field\ninstead of `script` in the action config, passing a standalone script to it\n(bash, Python, or any other language supported by your system). The `run` field\naccepts its parameters in exec form, as an array of argv strings, in the\nsame way as docker's `CMD`\n[does](https://docs.docker.com/reference/dockerfile/#exec-form):\n\nExample:\n\n```yaml\nrun: [\"python\", \"./path/to/your/script\", \"--some-arg\"]\n```\n\nIn any case, you can optionally supply the `cwd` param, to specify the root dir\nfor execution and on unix-like systems `user` param,to specify the user who will\nrun the script.\n\nPlease notice, that `user` param is not supported on windows and your script\nwill always run from the same user, that launches the service.\n\n## Inspection HTTP API\n\nBy default, the app exposes inspection HTTP endpoints, unless\n`disable_api: true` is set in the config. These endpoints allows you to get the\nstatus/output of a pipeline, list pipelines, or view the app logs.\n\n```\nGET /pipelines/{:pipeId} # To see the pipeline status\nGET /pipelines/{:pipeId}/output # To see the pipe output\nGET /pipelines # To list last pipelines\nGET /logs # To see the logs result\n```\n\nYou can find the full documentation for endpoints and params they accept\n[here](./docs/inspection-api.md)\n\nYou can also enable BasicAuth for the APi either in the config:\n\n```\napi_password: \"mysecret\"\n```\n\nor with a env variable API_PASSWORD=mysecret\n\n**Security Warning**: Do not use BasicAuth unless SSL is enabled (either in the\napp or via a reverse proxy), as your credentials can sniffed.\n\n## CLI\n\nIn addition to the default serve mode, the app provides a couple of CLI\nsubcommands to retrieve logs, inspect pipeline results, and retrieve their\noutput. It duplicates the HTTP-API functionality for the local access or cases\nwhen HTTP-API is disabled.\n\nRun `git-webhook-receiver --help` to see the list of available subcommands\nor run `git-webhook-receiver \u003cSUBCOMMAND\u003e --help` to subcommand help.\n\nSome examples:\n\nYou can use `pipeline` subcommand to check the last or given pipeline:\n\n```sh\ngit-webhook-receiver pipeline # shows the last pipeline\n# OR\ngit-webhook-receiver pipeline \u003cPIPE_ID\u003e\n```\n\nRun `get-webhook-receiver ls` to see a list of the last N pipelines.\nRun `get-webhook-receiver logs` to inspect app logs.\n\n## Logging\n\nBy default, action outputs and logs are stored persistently in two SQLite\ndatabases: one for app logs and one for actions and their output.\nBy default, actions db filename is `actions.sqlite3`, logs db filename is\n`logs.sqlite3`. This filenames are controlled by the `actions_db_file` and\n`logs_db_file` fields in the config correspondingly.\n\nSetting those config values to an empty string will disable the persistent on\nstorage of this information and in turn will also disable the corresponding\nHTTP-API and/or CLI subcommands.\n\nActions' output is stored in the db once the action is completed.\nWhile the action is still in progress, data is stored in a temporary file.\n\nBoth databases use [Write-Ahead Logging](https://www.sqlite.org/wal.html).\nThis means, in addition to the file specified in the config, the app will also\ncreate two additional temporary files during operation `\u003cYOUR_FILE\u003e-wal` and\n`\u003cYOUR_FILE\u003e-shm`, to ensure data integrity during write operations.\n\nOnly N latest actions are stored in the directory, with N specified in the\nconfig as `max_actions_stored` field. When number of output files exceeds this\nnumber, the oldest actions (by their file LastModified date) are removed.\n`max_actions_stored` defaults to 1000, setting it to a negative value turns\noff this functionality.\n\n## Contribution\n\nIf you have any ideas or suggestions or want to report a bug, feel free to\nwrite in the issues section or create a PR.\n\n### Testing the project locally without any git integration\n\nIf you want to quickly play around with the project, without actually doing\nany kind of git integration, please refer to [this doc](./docs/local-run.md).\n\n## License\n\ngit-webhook-receiver is MIT licensed.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freligiosa1%2Fgit-webhook-receiver","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freligiosa1%2Fgit-webhook-receiver","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freligiosa1%2Fgit-webhook-receiver/lists"}