v1.2.0
siGit as an OAuth provider, with push webhooks
siGit now sits on the other side of the OAuth handshake. Until today, siGit could import from GitHub; with this release, other applications can connect to siGit the way deployment platforms connect to GitHub. The first consumer is smbCloud Deploy: connect your siGit account there once, pick a repository, and every push deploys it.
Authorize applications with your siGit account
Applications can request access to your account through a standard OAuth 2.0 authorization flow (authorization code with PKCE). You approve a consent screen that lists exactly what the application gets, scope by scope:
user:read— your profile informationrepo:read— list and read your repositories, including private oneshooks:write— manage webhooks on your repositories
Tokens never expire on their own; access lasts until you take it back. A new Authorized applications section in Settings shows every connected application with its scopes and last-used time, and one click revokes all of its access. Application secrets and tokens are stored hashed, so they can't be recovered from the database even in a breach.
Push webhooks
Repositories can now carry webhooks. When a push is accepted (or a mirrored repository syncs new commits from upstream), siGit sends each registered webhook a JSON payload naming the ref, the before and after commits, and who pushed. Deliveries are signed with a per-hook HMAC secret so the receiver can verify they really came from siGit, and failed deliveries retry with backoff.
Webhooks are managed through the API with the hooks:write scope. Revoking
an application in Settings also deactivates the webhooks it registered.
A cleaner profile API
GET /api/v1/user is the new standard profile endpoint for API clients.
The older /api/v1/me remains for existing desktop versions but is
deprecated and now says so in its response headers.