nsite-action

June 9, 2026 ยท View on GitHub

Deploy static websites to Blossom/Nostr in a GitHub Actions workflow, powered by nsyte.

Dependencies

  • Bunker Signer (NIP-46) for establishing a handshake
  • nsyte - For generating a signing credential with nsyte ci.

Quick Start

  1. Setup nsyte locally (one-time):

    nsyte ci
    

    Follow the Nostr Connect prompts and nsyte will display a signing credential such as nbunksec1...; pass that value to this action via nbunksec. Do not paste a sec1... private key into this action.

  2. Add GitHub Secret:

    • Add the generated credential as a repository secret, for example NBUNK_SECRET
  3. Add to workflow:

    - name: Deploy to Nostr/Blossom
      uses: sandwichfarm/nsite-action@v0.5.1
      with:
        nbunksec: ${{ secrets.NBUNK_SECRET }}
        directory: './dist'  # Your built website directory
        version: 'v0.27.0'
        relays: |
          wss://relay.nsite.lol
        servers: |
          https://cdn.hzrd149.com
          https://cdn.sovbit.host
    

    To deploy a named NIP-5A site instead of the root npub site, set name. This is passed to nsyte deploy as --name and publishes a kind 35128 site manifest with that identifier:

    - name: Deploy named nsite
      uses: sandwichfarm/nsite-action@v0.5.1
      with:
        nbunksec: ${{ secrets.NBUNK_SECRET }}
        directory: './dist'
        name: 'blog'
        relays: |
          wss://relay.nsite.lol
        servers: |
          https://cdn.hzrd149.com
    

Inputs

InputRequiredDefaultDescription
versionNolatestnsyte release tag to download (for example v0.27.0)
nbunksecNo-Recommended CI credential. Must start with nbunksec1. This action rejects sec1 values for this input.
directoryYes-Directory containing website files
relaysNo''Newline-separated relay URIs
serversNo''Newline-separated Blossom server URIs
nameNo''Named NIP-5A site identifier passed to nsyte deploy --name. Leave empty to deploy the root npub site.
forceNofalseRe-upload all files
purgeNofalseDeprecated; there is no deploy-time --purge flag in nsyte
syncNofalseCheck all servers and upload missing blobs
verboseNofalseShow detailed output
concurrencyNo4Number of parallel uploads
fallbackNo''Fallback HTML path (e.g., "/index.html")
publish_server_listNofalsePublish configured servers for fresh root-site identities
publish_relay_listNofalsePublish configured relays for fresh root-site identities
publish_profileNofalsePublish profile metadata for fresh root-site identities
use_fallback_relaysNofalseInclude nsyte default relays in addition to configured relays
use_fallback_serversNofalseInclude nsyte default servers in addition to configured servers
publish_app_handlerNofalsePublish a NIP-89 app handler announcement
handler_kindsNo''Comma-separated event kinds for the app handler
skip_secrets_scanNotruePass --skip-secrets-scan to nsyte. Defaults to true so the deploy is not blocked by example/test values that look like credentials. Set false to let nsyte scan the deploy directory.
scan_levelNo''Secrets scan sensitivity (low, medium, high) passed via --scan-level. Only applied when skip_secrets_scan is false.

Outputs

OutputDescription
statusUpload status (success or failure)
nsyte_version_usedVersion of nsyte used

Features

  • Downloads nsyte binary automatically
  • Supports Linux, macOS, and Windows
  • Masks sensitive secrets in logs
  • Accepts the safer nbunksec action input and passes it through to nsyte
  • Deploys both root NIP-5A nsites and named NIP-5A nsites via name

Credential Revocation

  • Revocation is handled by your bunker signer of choice (NIP-46).
  • If you leak your signing credential, rotate it immediately.
  • Rotate credentials periodically: revoke the old credential, establish a new connection, and update your GitHub secret.

No Warranty

  • This action is provided without warranty of any kind, express or implied.
  • If a signing credential or private key is exposed, any resulting loss, impersonation, or irreversible publish action is your responsibility.
  • Nostr events and published site data may be replicated by relays and other infrastructure; compromise and publication are not generally revocable.

Security Notes

  • DO NOT paste a sec1... private key into this action
  • Use nsyte ci and store only the resulting nbunksec1... credential as a GitHub Secret
  • DO NOT commit signing credentials to source code
  • Configure bunker with minimal permissions
  • Consider pinning to a specific version
  • Rotate credentials periodically

Resources

Development

See test.yml for testing. Run make test-local for local testing.

License

MIT License