Skip to content
repo-sdk
Esc
navigateopen⌘Jpreview
On this page

Provider support

A feature-by-provider support matrix across GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea.

A feature × provider matrix covering authentication methods, baseUrl/self-hosted support, discovery, downloads, and webhooks across GitHub, GitLab, Bitbucket Cloud, Azure DevOps, and Gitea.

Feature matrix

Feature GitHub GitLab Bitbucket Cloud Azure DevOps Gitea
Subpath import repo-sdk/github repo-sdk/gitlab repo-sdk/bitbucket repo-sdk/azure-devops repo-sdk/gitea
Token auth ✓ (PAT / OAuth) ✓ (PAT / project / group / OAuth) ✓ (access token, Bearer) ✓ (PAT / OAuth) ✓ (PAT, token scheme)
App / alternative auth ✓ (GitHub App) ✓ (email + API token, Basic) ✓ (Entra tokenProvider)
Self-hosted (baseUrl) ✓ (GHES) ✓ (self-managed) ✗ (Cloud only) ✓ (Server) ✓ (self-hosted / Forgejo)
repo string owner/name group/…/project or id workspace/repo_slug project/repository owner/name
Namespace discovery user + orgs user + groups workspaces projects user + orgs
Commit filters (since / until / author) server-side server-side client-side per page server-side client-side author
Namespace avatarUrl
Archive download ✓ (API token auth only)
Clone URL ✓ (embedded) ✓ (embedded) ✓ (embedded) ✓ (embedded / Entra headers) ✓ (embedded)
Server-side repo pagination ✗ (single response)

Per-provider caveats

GitHub
  • Tag listing carries no date (tagDates: false) — Tag.date is undefined.
  • GitHub App auth uses installation tokens with no user identity: namespace and owned listing use the installation’s accessible repositories, and resolving the authenticated user throws unsupported. Single-installation apps can omit installationId; zero installs throw unauthorized, multiple throw validation.
  • Clone URLs from GitHub App auth set expiresAt (~1h).
  • Ref search (refs.search) is served by the unpaginated matching-refs endpoint — a very broad prefix on a huge repo transfers all matches in one response before the SDK truncates to limit. Annotated tag matches carry the tag object SHA, not the peeled commit.
GitLab
  • Self-managed instances need the full baseUrl including /api/v4.
  • The repo string accepts the full subgroup path or the numeric project id.
  • Project hooks are always activeactive: false throws unsupported.
Bitbucket Cloud
  • Cloud only — no baseUrl.
  • Archive downloads require the email + API token (Basic) auth; with an access token, downloadArchive throws unsupported.
  • No release webhook event; push and tag_push both map to the native repo:push.
  • since / until / author commit filters are applied client-side per page.
  • Ref search matches case-insensitively (Bitbucket’s filter only supports contains matching; the SDK narrows the first page to prefix matches, so a page full of mid-name hits can return fewer than limit results).
Gitea
  • Targets Gitea ≥ 1.20; Forgejo is API-compatible and works unchanged — including webhook verification, since Forgejo sends the same X-Gitea-* delivery headers.
  • Self-hosted instances need the full baseUrl including /api/v1; the default is https://gitea.com/api/v1.
  • Tag listing carries no date (tagDates: false) — Tag.date is undefined.
  • The author commit filter is applied client-side per page.
  • tag_push webhooks map to Gitea’s create/delete events; verification uses the bare-hex X-Gitea-Signature header.
  • Gitea has no built-in API rate limiter — a rate_limited error can only come from a fronting proxy.
  • Private resources you lack permission for often return 404 instead of 403 to avoid leaking their existence.
  • Ref search is case-sensitive and unpaginated (all matches transfer before the SDK truncates to limit). Annotated tag matches carry the tag object SHA, not the peeled commit.
Azure DevOps
  • organization is required on the factory and is not part of the repo string.
  • No repo search and no owned filter — passing query or owned throws unsupported.
  • Archive downloads are zip only.
  • Webhooks: push and tag_push are delivered by one git.push subscription, so webhooks.create requires both together. No release event.
  • Entra auth returns clone credentials in headers instead of embedding them in the URL.
  • The repositories endpoint returns everything in one response — there’s no server-side cursor, so limit is honored client-side.
  • listOrganizations is a standalone helper (organizations live outside the org-pinned provider).

Capability matrix

The exact RepoCapabilities values per provider.

Was this page helpful?