run deploy scripts from within trusted repos

.prettierrc

@@ -1 +1,3 @@
-{}
+{
+    "tabWidth": 2
+}

README.md

@@ -80,6 +80,7 @@ GIT_REF_NAME=master
 GIT_REF_TYPE=branch
 GIT_REPO_OWNER=my-org
 GIT_REPO_NAME=my-project
+GIT_REPO_TRUSTED=true
 ```
 
 ## API

examples/deploy.sh

@@ -3,37 +3,66 @@
 # The directory of this bash script
 base_dir="$(dirname "$(readlink -f "$0")")"
 
-if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]
-then
-  echo "Running deplay script for ${GIT_REPO_ID}"
-  bash "${base_dir}/${GIT_REPO_ID}/deploy.sh"
-  exit 0
-fi
+function deploy_local() {
+    echo "Running deplay script for ${GIT_REPO_ID}"
+    bash -o errexit -o nounset "${base_dir}/${GIT_REPO_ID}/deploy.sh"
+}
+
+function deploy_trusted() {
+    my_tmp="$(mktemp -d -t "tmp.XXXXXXXXXX")"
+    git clone --depth=1 "${GIT_CLONE_URL}" -b "${GIT_REF_NAME}" "${my_tmp}/${GIT_REPO_NAME}"
+
+    pushd "${my_tmp}/${GIT_REPO_NAME}"
+        if [[ -f ".gitdeploy/deploy.sh" ]]
+        then
+            bash -o errexit -o nounset ".gitdeploy/deploy.sh"
+        else
+            echo "Missing ${GIT_REPO_ID}/.gitdeploy/deploy.sh"
+        fi
+    popd
+
+    rm -rf "${my_tmp}/${GIT_REPO_NAME}/"
+}
 
-echo ""
-echo "Nothing to do for ${GIT_REPO_ID}"
-echo ""
-echo "Want to set it up? Try this:"
-echo "    mkdir -p ${base_dir}/${GIT_REPO_ID}"
-echo "    rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
-echo ""
-echo "Then edit the example deploy.sh to do what you need."
-echo "    vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
-echo ""
-echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
-echo "    ls ${base_dir}/git.example.com/org/"
-echo ""
-echo "You can use any of these ENVs in your deploy script:"
-
-# These environment variables are set by the caller
-my_envs='GIT_REF_NAME
-GIT_REF_TYPE
-GIT_REPO_ID
-GIT_REPO_OWNER
-GIT_REPO_NAME
-GIT_CLONE_URL'
-for x in $my_envs; do
-    echo "$x=${!x}"
-done
-
-sleep 1
+function show_help() {
+    echo ""
+    echo "Nothing to do for ${GIT_REPO_ID}"
+    echo ""
+    echo "Want to set it up? Try this:"
+    echo "    mkdir -p ${base_dir}/${GIT_REPO_ID}"
+    echo "    rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
+    echo ""
+    echo "Then edit the example deploy.sh to do what you need."
+    echo "    vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
+    echo ""
+    echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
+    echo "    ls ${base_dir}/git.example.com/org/"
+    echo ""
+    echo "You can use any of these ENVs in your deploy script:"
+
+    # These environment variables are set by the caller
+    my_envs='GIT_REPO_ID
+    GIT_CLONE_URL
+    GIT_REPO_OWNER
+    GIT_REPO_NAME
+    GIT_REF_TYPE
+    GIT_REF_NAME
+    GIT_REPO_TRUSTED
+    '
+    for x in $my_envs; do
+        echo "$x=${!x}"
+    done
+
+    sleep 1
+}
+
+if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]; then
+    deploy_local
+    exit 0
+elif [[ "true" == "${GIT_REPO_TRUSTED}" ]]; then
+    deploy_trusted
+    exit 0
+else
+    show_help
+    exit 1
+fi

examples/git.example.com/org/go-project/deploy.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then

examples/git.example.com/org/node-project/deploy.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then

main.go

@@ -150,7 +150,11 @@ func main() {
 			return
 		}
 		if 0 == len(runOpts.RepoList) {
-			runOpts.RepoList = os.Getenv("REPO_LIST")
+			runOpts.RepoList = os.Getenv("TRUST_REPOS")
+		}
+		if len(runOpts.RepoList) > 0 {
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, ",", " ")
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, "  ", " ")
 		}
 		if 0 == len(promotionList) {
 			promotionList = os.Getenv("PROMOTIONS")
@@ -446,6 +450,12 @@ func runHook(hook webhooks.Ref) {
 		"GIT_REPO_NAME=" + hook.Repo,
 		"GIT_CLONE_URL=" + hook.HTTPSURL,
 	}
+	for _, repo := range strings.Fields(runOpts.RepoList) {
+		if "*" == repo || repo == repoID {
+			envs = append(envs, "GIT_REPO_TRUSTED=true")
+			break
+		}
+	}
 	cmd.Env = append(env, envs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr