There might be times when you want to closely follow updates to a public GitHub repository. I had this use case in June 2024 when following the Swiss NCSC for cyber threat information regarding DDoS attacks.
I solved this problem by setting up an API key and regularly querying the main branch commits. However, this process is unnecessarily complex. A much easier way is to follow a repository as an RSS feed.
The hard way, API
This is the PHP code I have used to query the commits and notify me on pushover.net if a change was detected:
<?php
# 2024-06-13 web-performance.ch
$githubRepo = 'govcert-ch/CTI';
$branch = 'main';
$githubToken = '';
$pushoverUserKey = '';
$pushoverApiToken = '';
$localCacheFile = 'latest_commit.txt';
// Function to send a Pushover notification
function sendPushover($userKey, $apiToken, $message) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.pushover.net/1/messages.json");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array(
'token' => $apiToken,
'user' => $userKey,
'message' => $message
));
curl_exec($ch);
curl_close($ch);
}
// Function to get the latest commit SHA from GitHub
function getLatestCommitSHA($repo, $branch, $token) {
$url = "https://api.github.com/repos/$repo/commits/$branch";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"Authorization: token $token",
"User-Agent: PHP"
));
$response = curl_exec($ch);
curl_close($ch);
$data = json_decode($response, true);
return $data['sha'];
}
// Function to get the cached latest commit SHA
function getCachedLatestCommitSHA($filename) {
if (file_exists($filename)) {
return file_get_contents($filename);
}
return '';
}
// Function to cache the latest commit SHA
function cacheLatestCommitSHA($filename, $sha) {
file_put_contents($filename, $sha);
}
// Get the latest commit SHA from GitHub
$latestCommitSHA = getLatestCommitSHA($githubRepo, $branch, $githubToken);
// Get the cached latest commit SHA
$cachedCommitSHA = getCachedLatestCommitSHA($localCacheFile);
// Check if the latest commit SHA has changed
if ($latestCommitSHA !== $cachedCommitSHA) {
// Cache the new latest commit SHA
cacheLatestCommitSHA($localCacheFile, $latestCommitSHA);
// Prepare the message for Pushover
$message = "New commit detected in $githubRepo on branch $branch. Commit SHA: $latestCommitSHA";
// Send the message via Pushover
sendPushover($pushoverUserKey, $pushoverApiToken, $message);
echo "New commit detected and notification sent.<br>";
} else {
echo "No new commits detected.<br>";
}
However, this requires you to create and safeguard a token for GitHub. It is much easier to use RSS feeds, as no authentication is needed for public repositories and they are also easy to parse.
If you intend to use this, remember you need to trigger this regularly with a cronjob to be useful. This is just a glimpse of what it might take out there in the real world to stay ahead of your attackers.
The easy way, RSS
At the time, I was not aware that you can query GitHub for commits very easily using RSS.
GitHub RSS feeds
I was looking for a way to keep updated with the latest releases for apps I use from Github users. I know Github has an internal notification system but you can also get RSS items when a new full release is out.
RSS for commits
In my case “govcert-ch” is the organisation and “CTI” is the repository.
https://github.com/govcert-ch/CTI/commits.atomThis will return you a typical XML based RSS Feed.
RSS for releases
The same is possible with releasing on GitHub. However, for my example repository here, this is not really relevant.
https://github.com/govcert-ch/CTI/releases.atomHere you can see the example queried from NCSC CTI.
