v1.2.0

siGit as an OAuth provider, with push webhooks

siGit now sits on the other side of the OAuth handshake. Until today, siGit could import from GitHub; with this release, other applications can connect to siGit the way deployment platforms connect to GitHub. The first consumer is smbCloud Deploy: connect your siGit account there once, pick a repository, and every push deploys it.

Authorize applications with your siGit account

Applications can request access to your account through a standard OAuth 2.0 authorization flow (authorization code with PKCE). You approve a consent screen that lists exactly what the application gets, scope by scope:

  • user:read — your profile information
  • repo:read — list and read your repositories, including private ones
  • hooks:write — manage webhooks on your repositories

Tokens never expire on their own; access lasts until you take it back. A new Authorized applications section in Settings shows every connected application with its scopes and last-used time, and one click revokes all of its access. Application secrets and tokens are stored hashed, so they can't be recovered from the database even in a breach.

Push webhooks

Repositories can now carry webhooks. When a push is accepted (or a mirrored repository syncs new commits from upstream), siGit sends each registered webhook a JSON payload naming the ref, the before and after commits, and who pushed. Deliveries are signed with a per-hook HMAC secret so the receiver can verify they really came from siGit, and failed deliveries retry with backoff.

Webhooks are managed through the API with the hooks:write scope. Revoking an application in Settings also deactivates the webhooks it registered.

A cleaner profile API

GET /api/v1/user is the new standard profile endpoint for API clients. The older /api/v1/me remains for existing desktop versions but is deprecated and now says so in its response headers.