Keys never leave your machine

Docs // Scroll Gate · Forgejo

Gate unsigned agent merges in Forgejo and Gitea Actions.

Forgejo and Gitea ship GitHub Actions–compatible runners. Add ssx360 check to pull requests — hosted verify maps to SLSA L1–2 commit provenance.

Scroll Gate · Forgejo / Gitea

Ed25519

commit envelopes

offline-verifiable proof

local-only

CLI & HOOKS

repo never uploaded

Scroll Gate

PR enforcement

signed vs unsigned

SSX360

control plane

identity · billing · audit

Scroll Gate v2Forgejo / GiteaSDK 0.5.1

Last verified against matrixscroll 0.5.1. Enable Actions in your Forgejo or Gitea instance, then add the workflow below. Community tier includes 100 hosted verifications per day.

Copy-paste

Forgejo / Gitea Actions workflow

Runs on every pull request targeting a protected branch. Syntax matches GitHub Actions — place under .forgejo/workflows/ or .gitea/workflows/.

yaml · scroll-gate.yml
name: Scroll Gate

on:
  pull_request:
    branches: [main]

jobs:
  provenance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Matrix Scroll
        run: pip install "matrixscroll==0.5.1"

      - name: Scroll Gate verify
        env:
          SSX360_API_KEY: ${{ secrets.SSX360_API_KEY }}
        run: ssx360 check --hosted --base origin/main --head HEAD

One secret

Repository secret

Store your SSX360 API key as SSX360_API_KEY — never commit keys to the repo.

bash · forgejo secret
# Repository → Settings → Secrets → Actions
SSX360_API_KEY=sk_live_...   # Community or Team key from ssx360.com/settings

Full spec: SCROLL_GATE_V2.md · GitHub Actions · SLSA mapping