#How jobs are submitted
Unlike some other build systems, builds.sr.ht does not let you configure builds
on the website itself. Instead, you write build manifests - YAML files that
tell builds.sr.ht what to do. You can then submit these manifests via the API
and we'll assign a runner and execute your job.
For convenience, there are ways of submitting builds automatically throughout
the sr.ht ecosystem - for example by pushing to repositories on git.sr.ht.
These integrations are discussed below. For details on
submitting jobs via the API, see the API reference.
Build manifests are YAML files that contain a description of your build
environment and steps to run in that environment. A very simple example could
- say-hello: |
- say-world: |
When you submit this build, we'll fire up a virtual machine running an
up-to-date image of Alpine Linux. Then, we'll copy your scripts into the machine
and run them one at a time. More complex build jobs will probably use more
features of the build.yml - here's an example that deploys
- setup: |
- build: |
npm run build:production
- deploy: |
sshopts="ssh -o StrictHostKeyChecking=no"
rsync --rsh="$sshopts" -rP index.html $deploy:/var/www/web.synapse-bt.org/
rsync --rsh="$sshopts" -rP dist $deploy:/var/www/web.synapse-bt.org/
A full reference for build manifests is available.
View the full list of supported build images.
builds.sr.ht can keep track of secrets for you, like SSH keys or PGP keys, and
include them in builds for the purpose of deployment. You can manage your
secrets at the secrets dashboard.
#Keeping your secrets a secret
If you need to reference a secret in a command line argument or shell variable,
make sure to run
set +x first to temporarily disable detailed command logging
in the build shell. Run
set -x again once you're done handling secret
information to re-enable command logging. You also need to be careful that
secrets are not printed to stdout or stderr by the commands which use them
>/dev/null 2>&1 to the affected commands if you need to hide this
Whenever you submit a build via the API, you can pass the
secrets parameter (a
boolean) to explicitly disable secrets. In this case, they will be discarded and
the build run without including them (it's up to you to deal with this
gracefully in your shell scripts, by the way). It is important that you use this
parameter whenever submitting a build which runs code anyone you don't trust
could have tampered with. This includes not only the build manifests themselves,
but any code run as a side-effect, like your Makefile.
This is done for you automatically whenever you submit builds using sr.ht
features. When building patches from your mailing list, sr.ht will automatically
disable secrets. The same is true of pull requests from GitHub submitted via
In any case, if your secret is leaked, you must consider it permanently
compromised, revoke it from any services it provides authentication for, and
generate new secrets from scratch. All build logs are public, and to encourage
users to roll over secrets which are compromised, our policy is to refuse to
redact secrets leaked in this manner. If you require some time to fully address
the consequences of a secret leak, we may redact them for up to one week —
email support if you require this.
Each task's script is given a preamble that looks like this:
The actual shell varies depending on your build image.
the environment variables you specified in your manifest, but feel free to
modify it to communicate state between build steps.
The following environment variables are defined for all builds:
- JOB_ID: The ID assigned to this build job
- JOB_URL: The URL at which the build logs and information can be viewed
with a web browser
The following environment variables are commonly added by
- BUILD_SUBMITTER: The name of the integration which submitted the job
- BUILD_REASON: The reason the integration submitted the build
#Build status badges
If you add tags to your build, or enter search terms, you can use these to
create a build status badge like this (the example being the latest status of
The image URL and a markdown snippet are shown in the sidebar of the search
results page or
tag detail page.
Do you have something that integrates with builds.sr.ht? Submit a patch for this
dispatch.sr.ht offers a variety of integrations with
builds.sr.ht, including support for connecting builds.sr.ht to external services
like GitHub. This should be your first stop when looking for an integration.
github-commit (commit from GitHub),
(commit from Gitlab),
github-pr (pull request from GitHub) or
gitlab-mr (merge request from Gitlab)
git.sr.ht will automatically submit builds for you if you store a manifest in
the repository as
.build.yml. Each time you push, a build with this manifest
will be submitted. If the repo you pushed to is present in the manifest's
sources array, we'll edit it to point to the ref you just pushed. You can also
submit up to 4 builds on each push by providing
.builds/*.yml (if more are
submitted, 4 manifests will be randomly chosen).
hg.sr.ht will also automatically submit builds for you. The naming conventions
and other details are the same as the process used by git.sr.ht - described
hub.sr.ht will automatically submit builds when a patch to a repo with
.build.yml is sent to a mailing list.
PATCHSET_ID: ID of the patchset (e.g.
PATCHSET_URL: link to the patchset (e.g.