Catalyst · Complete User Guide
The Catalyst User Guide
Everything you need to write, review, ship, secure and operate code on Catalyst — your self-hosted, GitHub-comparable platform. Written for complete newcomers and seasoned engineers alike.
<host> means this instance's address and <owner>/<repo> means a repository such as acme/payments-api.How to use this guide
Sections are tagged by the experience they assume. Follow the path that fits you:
- New to Git entirely? Read Git in five minutes, then Your first repository and Browsing & editing — you can do a lot without ever touching a terminal.
- Comfortable with GitHub/GitLab? Skim Getting the code for the Catalyst-specific URLs, then jump to Pull requests, Pipelines and the Cheat sheet.
- Running the instance? Head to Administration and REST API.
<placeholders>.Git in five minutes Beginner
If you've never used version control, here's the whole mental model. Git tracks the history of a folder of files. Catalyst is where that history lives so a team can share it.
| Term | What it means |
|---|---|
| Repository (repo) | A project — a folder plus its complete history of changes. |
| Commit | A saved snapshot of your changes with a message describing them. |
| Branch | A parallel line of work. main is the default; you make a branch to work without disturbing it. |
| Clone | Download a repository (with history) to your computer. |
| Push / Pull | Send your commits to Catalyst / fetch others' commits from it. |
| Pull request (PR) | A proposal to merge one branch into another, so teammates can review first. |
A typical day looks like this:
# 1. get the project onto your machine (once)
git clone http://<host>/acme/payments-api.git
cd payments-api
# 2. start a branch for your change
git checkout -b fix-login
# 3. edit files, then save a snapshot
git add .
git commit -m "Fix the login redirect"
# 4. send it to Catalyst
git push origin fix-loginThen you open a pull request in the web UI to get it reviewed and merged. That's the core loop. Everything else in this guide builds on it.
Signing in & two-factor Beginner
- Open this instance and click Sign in. Enter the username and password your administrator gave you.
- If single sign-on is enabled, click Sign in with SSO instead and authenticate with your company account.
- Turn on two-factor (recommended). Go to your avatar → Account → Two-factor authentication → Set up 2FA. Scan the secret into an authenticator app (Google Authenticator, 1Password, Aegis…), enter the 6-digit code, and click Enable 2FA.
Your first repository Beginner
- Click + New in the top bar.
- Give it an owner (your username or a team namespace), a name (e.g.
payments-api), and a description. - Choose Public (anyone on the instance can read) or Private (only you and collaborators).
- Leave Add a README ticked so the repository is browsable immediately, then Create repository.
If you create an empty repository instead, Catalyst shows the exact commands to push an existing project:
echo "# payments-api" >> README.md
git init
git add README.md
git commit -m "Initial commit"
git branch -M main
git remote add origin http://<host>/acme/payments-api.git
git push -u origin mainGetting the code: clone & wget URLs Beginner
Every repository page has a Get the code panel with two ready-to-copy commands. This is a signature Catalyst feature: the host adapts to how you reached the instance. Reach it on the internal network and you get the internal address; reach it from outside and you get the external one. A toggle switches between them.
# Clone with Git (full history, to work on it)
git clone http://<host>/acme/payments-api.git
# Download a snapshot with wget (just the files, no history)
wget http://<host>/acme/payments-api/archive/main.tar.gzThe archive endpoint accepts any branch or tag, and both formats:
| You want… | URL |
|---|---|
Latest main as tar.gz | /acme/payments-api/archive/main.tar.gz |
| A tag as zip | /acme/payments-api/archive/v1.2.0.zip |
| A feature branch | /acme/payments-api/archive/fix-login.tar.gz |
wget command fetch the same archive — handy for CI systems or air-gapped machines that only have wget/curl.Browsing & editing in the browser Beginner
Click View code (or the file tree) to browse. Click a folder to go in, a file to read it — text files are syntax-highlighted. Use the branch links in the file panel header to switch branches, and the Commits tab for history.
To make a quick change without cloning:
- Open a file and click Edit.
- Change the content, write a commit message, and click Commit to main.
- To add a new file, use New file on the repository page.
Uploading files & folders (drag & drop). Click ↑ Upload files on the repository page, then drag files or whole folders onto the drop zone — any type, including images and binaries. Dropped folders keep their structure. You can also use Choose files or Choose folder. Optionally set a destination folder, add a commit message, and Commit. No terminal or Git required.
Branches & commits Intermediate
git checkout -b feature/webhooks # create + switch to a branch
git add path/to/file # stage specific changes
git commit -m "Add webhook retries"
git push -u origin feature/webhooks # publish the branch
git fetch # see what's new on the server
git pull # fetch + merge into your branch
git log --oneline -10 # recent historyWrite commit messages in the imperative ("Add…", "Fix…") and keep each commit focused — it makes review and history far easier to follow.
Issues Beginner
Issues track bugs, tasks and ideas. Open the Issues tab on a repository and click New issue.
- Give it a clear title and a description of what's wrong or wanted.
- Mention a teammate with
@username— they get a notification. - Comment to discuss; click Close issue when it's resolved (or Reopen later).
Pull requests & code review Intermediate
A pull request (PR) proposes merging a source branch into a target branch (usually main), with review first.
- Push your branch, open the Pull requests tab, click New pull request.
- Pick the base (target) and your source branch, then Compare to preview the commits and diff.
- Add a title and description, then Create pull request.
Reviewing
- Read the coloured diff. To comment on a precise place, use Comment on a specific line (give the file path and line number).
- Submit a review: Approve, Request changes, or Comment. A "request changes" review blocks the merge until resolved.
- Owners can Request review from specific people.
When requirements are met, click Merge pull request. Catalyst creates a merge commit and marks the PR merged. If the automatic merge conflicts, the details are posted as a comment so you can rebase and try again.
Protected branches & merge gating Advanced
Protect important branches so changes can't merge until they're reviewed and green. In the repository's Settings → Branch protection, add a rule:
| Setting | Effect |
|---|---|
| Required approvals | The PR needs this many approving reviews before it can merge. |
| Require passing pipeline | The latest pipeline on the source branch must be success. |
On a protected PR the merge button stays disabled and shows exactly what's missing. A CODEOWNERS file auto-requests review from the owners of the changed paths:
# CODEOWNERS (in repo root, .catalyst/ or docs/)
*.py @backend-lead
/frontend/ @alice @bob
/docs/ @tech-writerPipelines (CI/CD) Intermediate Advanced
Add a .catalyst-ci.yml file to your repository root. It runs automatically on every push to the default branch, and you can run it manually on any branch from the Pipelines tab.
name: build-and-test
steps:
- name: install
run: pip install -r requirements.txt
- name: test
run: pytest -qEach step's run is a shell command executed in a fresh checkout of the ref. Steps run in order; the run fails on the first non-zero exit. Open a run to read the combined logs.
Secrets, artifacts & schedules Advanced
Secrets are added in Settings → CI secrets and injected as environment variables — they never appear in logs. Artifacts are files to keep after a successful run. A schedule runs the pipeline periodically.
name: nightly
schedule: "@daily" # or "@hourly", or { every_minutes: 30 }
artifacts:
- dist/* # collected & downloadable from the run page
steps:
- name: build
run: make build # $DEPLOY_TOKEN etc. available as env vars
- name: package
run: tar czf dist/app.tgz build/| Key | Meaning |
|---|---|
name | Display name of the pipeline. |
steps[].name / .run | A step's label and shell command. |
artifacts | Glob(s) of files to save on success. |
schedule | "@hourly", "@daily", or { every_minutes: N }. |
CI=true, CATALYST_CI=true, CATALYST_REF (the branch/tag), CATALYST_ENVIRONMENT (on deploys), plus every repository secret.Deployments & environments Advanced
Define environments in Settings → Environments (e.g. staging, production), optionally requiring approval. Then from Pipelines → Deployments, request a deploy of a ref to an environment. If approval is required, an admin approves it, which triggers the pipeline with CATALYST_ENVIRONMENT set so your steps know where they're deploying.
Publishing a version Intermediate
Click the prominent ⌦ Publish version button (on the Code page or the Packages tab) to cut a version. Give it a tag (e.g. v1.2.0), a project overview, the features & changes in this version, and optionally attach a binary. Publishing creates the git tag and opens the version page — a clean overview of the release with the exact commands to pull it:
git clone --branch v1.2.0 http://<host>/acme/payments-api.git
# or, in an existing clone:
git fetch --tags && git checkout v1.2.0
# or grab the source snapshot:
wget http://<host>/acme/payments-api/archive/v1.2.0.tar.gzThe Packages tab lists every version; each links to its version page and downloads. To remove a version, open its version page and click Delete this version — this deletes the release and its git tag (it will no longer be pullable).
Package registries Advanced
Catalyst hosts language package registries so build tools install straight from your instance. Uploads authenticate with a personal access token as the password.
Python (PyPI)
pip install --index-url http://<host>/registry/pypi/simple/ mypackage
twine upload --repository-url http://<host>/registry/pypi/ dist/* -u __token__ -p cat_XXXXNode (npm)
npm install --registry http://<host>/registry/npm/ mypackage
npm publish --registry http://<host>/registry/npm/Java (Maven)
<repository>
<id>catalyst</id>
<url>http://<host>/registry/maven/</url>
</repository>Anything else (generic)
curl -u user:cat_XXXX --upload-file app.bin \
http://<host>/registry/generic/acme/app/1.0.0/app.bin
curl -O http://<host>/registry/generic/acme/app/1.0.0/app.binSecurity: secret & dependency scanning Intermediate
On every push Catalyst scans your code and dependencies and raises alerts on the repository's Security tab.
Secret scanning
Flags credentials committed by accident — cloud keys, private-key blocks, API tokens. Each finding shows the file and line. Rotate the exposed secret, remove it from the code, and mark the alert Resolved.
Dependency scanning (SCA)
Catalyst parses your manifests and compares them to a security advisory feed, raising a "vulnerable dependency" alert with the advisory ID and severity.
| Ecosystem | Manifest read |
|---|---|
| Python | requirements.txt |
| Node | package.json |
| Java | pom.xml |
| Go | go.mod |
Fix by upgrading to the fixed version and pushing again; the alert clears on the next scan. Use Re-scan default branch to check on demand. Administrators manage the advisory feed under Admin → Security advisories.
Git over SSH Intermediate
SSH avoids typing a password on every push. It must be enabled on the instance (default port 2222).
- Create a key pair if you don't have one:
ssh-keygen -t ed25519. - Copy your public key (
~/.ssh/id_ed25519.pub) into Account → SSH keys → Add SSH key. - Clone and push over SSH:
git clone ssh://git@<host>:2222/acme/payments-api.git
# then the usual: git push / git pullPersonal access tokens Intermediate
Tokens authenticate Git-over-HTTP and the REST API without your password (and bypass 2FA prompts, which is what you want for automation). Create one in Account → Personal access tokens — copy it immediately; it's shown only once.
# use a token as the git password over HTTP
git clone http://alice:cat_XXXXXXXX@<host>/acme/payments-api.git
# use it as a Bearer token for the API
curl -H "Authorization: Bearer cat_XXXXXXXX" http://<host>/api/v1/userTeams, collaborators & permissions Advanced
Grant access two ways:
- Per repository — Settings → Collaborators, add a user with
read,writeoradmin. - By team — admins create teams under Teams and add members.
| Permission | Can… |
|---|---|
read | View and clone the repository (private repos). |
write | Push, merge PRs, run pipelines, publish releases. |
admin | Everything, plus repository settings, protection, secrets, webhooks. |
The repository owner and site administrators always have admin rights. Public repositories are readable (and cloneable) by anyone on the instance. Single sign-on (OIDC) and LDAP directory sign-in can be enabled by an administrator; accounts are created automatically on first login.
Deleting a repository. With admin rights, open Settings → Danger zone, type the repository name to confirm, and click Delete this repository. This permanently removes the code, issues, pull requests, pipelines, packages and settings — it cannot be undone.
Search, wiki & insights Beginner
- Search — the top-bar box searches repositories and issues; switch to Include code to grep across code you can read.
- Wiki — each repository has a Markdown wiki (the Wiki tab). Create a home page and link others.
- Insights — commit counts, branches, contributors and open issue/PR totals for a repository.
REST API Advanced
Automate Catalyst from scripts and CI. Authenticate with a token as a Bearer header (or Basic auth).
| Method & path | Does |
|---|---|
GET /api/v1/user | Who am I (verifies the token). |
GET /api/v1/repos | List repositories you can read. |
GET /api/v1/repos/{owner}/{name} | Repository details (branches, commit count). |
GET /api/v1/repos/{owner}/{name}/issues | List issues (?state=open|closed). |
POST /api/v1/repos/{owner}/{name}/issues | Create an issue ({"title","body"}). |
GET …/pulls, …/pipelines | List pull requests / pipeline runs. |
TOKEN=cat_XXXXXXXX
# list your repositories
curl -H "Authorization: Bearer $TOKEN" http://<host>/api/v1/repos
# open an issue from a script
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"title":"Nightly job failed","body":"See attached log"}' \
http://<host>/api/v1/repos/acme/payments-api/issuesWebhooks Advanced
Fire an HTTP POST to your own service when things happen. In Settings → Webhooks, add a URL, the events (comma-separated: push, issue, pull_request, pipeline, release, or *), and a secret. Each delivery is signed with HMAC-SHA256 in the X-Catalyst-Signature header.
# verify a delivery (Python)
import hmac, hashlib
def valid(secret, body_bytes, header):
expected = "sha256=" + hmac.new(secret.encode(), body_bytes, hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, header) # header = X-Catalyst-SignatureImport & mirroring Intermediate
Move existing projects onto Catalyst. From the dashboard click Import, give the source Git URL (GitHub, GitLab, any Git remote) and a new name. The full history is mirrored. A scheduled pull mirror can keep the copy in sync with an upstream automatically.
git remote set-url origin http://<host>/acme/<repo>.git.Git LFS (large files) Advanced
Catalyst includes a Git LFS server for large binaries (datasets, media, models). With the git-lfs client installed:
git lfs install
git lfs track "*.psd" # store these via LFS
git add .gitattributes design.psd
git commit -m "Add design asset"
git push # the large object goes to the LFS storeAdministration Advanced
Site administrators get an Admin link in the top bar.
| Area | What you do there |
|---|---|
| Users & access | Create accounts, grant admin, enable/disable users. |
| Teams | Group members for shared access. |
| Security advisories | Add advisories for dependency scanning, or sync from the Synapse-Sonar feed. |
| Backups | Create a downloadable .tar.gz of the database, repositories, registry and LFS objects. |
| Audit log | Every significant action, most recent first. |
| Configuration | Review internal/external URLs, anonymous-read and data directory. |
Operations
- Backups & restore — download from Admin → Backups. To restore: stop Catalyst, extract the archive over an empty data directory, start again.
- Metrics —
GET /metricsexposes Prometheus gauges (users, repos, runs, open issues/PRs/alerts) for scraping. - Rate limiting — set
CATALYST_RATE_LIMIT(requests/min/IP) to protect the web UI.
docker compose up -d --build. Key settings live in .env: CATALYST_SECRET_KEY, the admin account, CATALYST_INTERNAL_URL / CATALYST_EXTERNAL_URL, and optional SSH, SMTP, OIDC/LDAP and Sonar settings. See the README for the full reference.Cheat sheet All levels
Everyday Git
git clone http://<host>/<owner>/<repo>.git # or ssh://git@<host>:2222/…
git checkout -b my-branch
git add . && git commit -m "message"
git push -u origin my-branch
git pull ; git fetch --allCatalyst URLs
| Purpose | URL / path |
|---|---|
| Clone (HTTP) | http://<host>/<owner>/<repo>.git |
| Clone (SSH) | ssh://git@<host>:2222/<owner>/<repo>.git |
| Download snapshot | /<owner>/<repo>/archive/<ref>.tar.gz (or .zip) |
| PyPI index | /registry/pypi/simple/ |
| npm registry | /registry/npm/ |
| Maven repo | /registry/maven/ |
| API base | /api/v1/ |
| Metrics | /metrics |
.catalyst-ci.yml keys
name: <pipeline name>
schedule: "@hourly" | "@daily" | { every_minutes: N }
artifacts: [ "glob", ... ]
steps:
- name: <step name>
run: <shell command>Troubleshooting All levels
| Symptom | Fix |
|---|---|
| Push rejected (403) | You need write on the repo. Ask an admin/owner to add you as a collaborator. |
| Repeated auth prompts | Use a token as the password, or set up a credential helper / SSH keys. |
| Merge button disabled | The branch is protected — read the listed reasons (needs approvals and/or a green pipeline). |
wget gives 404 | The ref must exist. Check the branch/tag name on the repo page; default is main. |
| Clone URL has the wrong host | Use the Internal/External toggle in Get the code. Admins set CATALYST_INTERNAL_URL / CATALYST_EXTERNAL_URL. |
| Pipeline shows "no-config" | Add a .catalyst-ci.yml at the repo root of that branch. |
| SSH: "access denied" | Your public key isn't registered, or you lack access. Re-add it under Account → SSH keys. |
| Lost my token | Tokens are shown once. Revoke the old one and generate a new one. |
Glossary Beginner
| Term | Meaning |
|---|---|
| Artifact | A file produced by a pipeline and kept for download. |
| Branch protection | Rules that gate merging (reviews, passing pipeline). |
| CI/CD | Continuous integration / delivery — automatically building, testing and shipping. |
| CODEOWNERS | A file mapping paths to reviewers who are auto-requested. |
| Fork | Your own copy of a repository to propose changes from. |
| LFS | Large File Storage — keeps big binaries out of normal Git history. |
| Merge | Combining one branch's commits into another. |
| Ref | A branch or tag name pointing at a commit. |
| SCA | Software Composition Analysis — scanning dependencies for known vulnerabilities. |
| Token | A secret string used instead of a password for Git/API automation. |
| Webhook | An HTTP callback Catalyst sends when events happen. |