nsite-action
June 9, 2026 ยท View on GitHub
Deploy static websites to Blossom/Nostr in a GitHub Actions workflow, powered by nsyte.
Dependencies
- Bunker Signer (NIP-46) for establishing a handshake
- nsyte - For generating a signing credential with
nsyte ci.
Quick Start
-
Setup nsyte locally (one-time):
nsyte ciFollow the Nostr Connect prompts and
nsytewill display a signing credential such asnbunksec1...; pass that value to this action vianbunksec. Do not paste asec1...private key into this action. -
Add GitHub Secret:
- Add the generated credential as a repository secret, for example
NBUNK_SECRET
- Add the generated credential as a repository secret, for example
-
Add to workflow:
- name: Deploy to Nostr/Blossom uses: sandwichfarm/nsite-action@v0.5.1 with: nbunksec: ${{ secrets.NBUNK_SECRET }} directory: './dist' # Your built website directory version: 'v0.27.0' relays: | wss://relay.nsite.lol servers: | https://cdn.hzrd149.com https://cdn.sovbit.hostTo deploy a named NIP-5A site instead of the root npub site, set
name. This is passed tonsyte deployas--nameand publishes a kind35128site manifest with that identifier:- name: Deploy named nsite uses: sandwichfarm/nsite-action@v0.5.1 with: nbunksec: ${{ secrets.NBUNK_SECRET }} directory: './dist' name: 'blog' relays: | wss://relay.nsite.lol servers: | https://cdn.hzrd149.com
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
version | No | latest | nsyte release tag to download (for example v0.27.0) |
nbunksec | No | - | Recommended CI credential. Must start with nbunksec1. This action rejects sec1 values for this input. |
directory | Yes | - | Directory containing website files |
relays | No | '' | Newline-separated relay URIs |
servers | No | '' | Newline-separated Blossom server URIs |
name | No | '' | Named NIP-5A site identifier passed to nsyte deploy --name. Leave empty to deploy the root npub site. |
force | No | false | Re-upload all files |
purge | No | false | Deprecated; there is no deploy-time --purge flag in nsyte |
sync | No | false | Check all servers and upload missing blobs |
verbose | No | false | Show detailed output |
concurrency | No | 4 | Number of parallel uploads |
fallback | No | '' | Fallback HTML path (e.g., "/index.html") |
publish_server_list | No | false | Publish configured servers for fresh root-site identities |
publish_relay_list | No | false | Publish configured relays for fresh root-site identities |
publish_profile | No | false | Publish profile metadata for fresh root-site identities |
use_fallback_relays | No | false | Include nsyte default relays in addition to configured relays |
use_fallback_servers | No | false | Include nsyte default servers in addition to configured servers |
publish_app_handler | No | false | Publish a NIP-89 app handler announcement |
handler_kinds | No | '' | Comma-separated event kinds for the app handler |
skip_secrets_scan | No | true | Pass --skip-secrets-scan to nsyte. Defaults to true so the deploy is not blocked by example/test values that look like credentials. Set false to let nsyte scan the deploy directory. |
scan_level | No | '' | Secrets scan sensitivity (low, medium, high) passed via --scan-level. Only applied when skip_secrets_scan is false. |
Outputs
| Output | Description |
|---|---|
status | Upload status (success or failure) |
nsyte_version_used | Version of nsyte used |
Features
- Downloads nsyte binary automatically
- Supports Linux, macOS, and Windows
- Masks sensitive secrets in logs
- Accepts the safer
nbunksecaction input and passes it through to nsyte - Deploys both root NIP-5A nsites and named NIP-5A nsites via
name
Credential Revocation
- Revocation is handled by your bunker signer of choice (NIP-46).
- If you leak your signing credential, rotate it immediately.
- Rotate credentials periodically: revoke the old credential, establish a new connection, and update your GitHub secret.
No Warranty
- This action is provided without warranty of any kind, express or implied.
- If a signing credential or private key is exposed, any resulting loss, impersonation, or irreversible publish action is your responsibility.
- Nostr events and published site data may be replicated by relays and other infrastructure; compromise and publication are not generally revocable.
Security Notes
- DO NOT paste a
sec1...private key into this action - Use
nsyte ciand store only the resultingnbunksec1...credential as a GitHub Secret - DO NOT commit signing credentials to source code
- Configure bunker with minimal permissions
- Consider pinning to a specific
version - Rotate credentials periodically
Resources
Development
See test.yml for testing. Run make test-local for local testing.