From 0ee8194ac7e36294979ef6a4be9b78064bf8c78d Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 20 Oct 2020 22:44:31 -0600
Subject: [PATCH] run deploy scripts from within trusted repos

---
 .prettierrc                                   |  4 +-
 README.md                                     |  1 +
 examples/deploy.sh                            | 95 ++++++++++++-------
 .../git.example.com/org/go-project/deploy.sh  |  1 +
 .../org/node-project/deploy.sh                |  1 +
 main.go                                       | 12 ++-
 6 files changed, 79 insertions(+), 35 deletions(-)

diff --git a/.prettierrc b/.prettierrc
index 0967ef4..b3b052f 100644
--- a/.prettierrc
+++ b/.prettierrc
@@ -1 +1,3 @@
-{}
+{
+    "tabWidth": 2
+}
diff --git a/README.md b/README.md
index aae9149..36043a5 100644
--- a/README.md
+++ b/README.md
@@ -80,6 +80,7 @@ GIT_REF_NAME=master
 GIT_REF_TYPE=branch
 GIT_REPO_OWNER=my-org
 GIT_REPO_NAME=my-project
+GIT_REPO_TRUSTED=true
 ```
 
 ## API
diff --git a/examples/deploy.sh b/examples/deploy.sh
index 2bacaa1..3572fb4 100644
--- a/examples/deploy.sh
+++ b/examples/deploy.sh
@@ -3,37 +3,66 @@
 # The directory of this bash script
 base_dir="$(dirname "$(readlink -f "$0")")"
 
-if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]
-then
-  echo "Running deplay script for ${GIT_REPO_ID}"
-  bash "${base_dir}/${GIT_REPO_ID}/deploy.sh"
-  exit 0
+function deploy_local() {
+    echo "Running deplay script for ${GIT_REPO_ID}"
+    bash -o errexit -o nounset "${base_dir}/${GIT_REPO_ID}/deploy.sh"
+}
+
+function deploy_trusted() {
+    my_tmp="$(mktemp -d -t "tmp.XXXXXXXXXX")"
+    git clone --depth=1 "${GIT_CLONE_URL}" -b "${GIT_REF_NAME}" "${my_tmp}/${GIT_REPO_NAME}"
+
+    pushd "${my_tmp}/${GIT_REPO_NAME}"
+        if [[ -f ".gitdeploy/deploy.sh" ]]
+        then
+            bash -o errexit -o nounset ".gitdeploy/deploy.sh"
+        else
+            echo "Missing ${GIT_REPO_ID}/.gitdeploy/deploy.sh"
+        fi
+    popd
+
+    rm -rf "${my_tmp}/${GIT_REPO_NAME}/"
+}
+
+function show_help() {
+    echo ""
+    echo "Nothing to do for ${GIT_REPO_ID}"
+    echo ""
+    echo "Want to set it up? Try this:"
+    echo "    mkdir -p ${base_dir}/${GIT_REPO_ID}"
+    echo "    rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
+    echo ""
+    echo "Then edit the example deploy.sh to do what you need."
+    echo "    vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
+    echo ""
+    echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
+    echo "    ls ${base_dir}/git.example.com/org/"
+    echo ""
+    echo "You can use any of these ENVs in your deploy script:"
+
+    # These environment variables are set by the caller
+    my_envs='GIT_REPO_ID
+    GIT_CLONE_URL
+    GIT_REPO_OWNER
+    GIT_REPO_NAME
+    GIT_REF_TYPE
+    GIT_REF_NAME
+    GIT_REPO_TRUSTED
+    '
+    for x in $my_envs; do
+        echo "$x=${!x}"
+    done
+
+    sleep 1
+}
+
+if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]; then
+    deploy_local
+    exit 0
+elif [[ "true" == "${GIT_REPO_TRUSTED}" ]]; then
+    deploy_trusted
+    exit 0
+else
+    show_help
+    exit 1
 fi
-
-echo ""
-echo "Nothing to do for ${GIT_REPO_ID}"
-echo ""
-echo "Want to set it up? Try this:"
-echo "    mkdir -p ${base_dir}/${GIT_REPO_ID}"
-echo "    rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
-echo ""
-echo "Then edit the example deploy.sh to do what you need."
-echo "    vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
-echo ""
-echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
-echo "    ls ${base_dir}/git.example.com/org/"
-echo ""
-echo "You can use any of these ENVs in your deploy script:"
-
-# These environment variables are set by the caller
-my_envs='GIT_REF_NAME
-GIT_REF_TYPE
-GIT_REPO_ID
-GIT_REPO_OWNER
-GIT_REPO_NAME
-GIT_CLONE_URL'
-for x in $my_envs; do
-    echo "$x=${!x}"
-done
-
-sleep 1
diff --git a/examples/git.example.com/org/go-project/deploy.sh b/examples/git.example.com/org/go-project/deploy.sh
index 0947efe..4fadb04 100644
--- a/examples/git.example.com/org/go-project/deploy.sh
+++ b/examples/git.example.com/org/go-project/deploy.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then
diff --git a/examples/git.example.com/org/node-project/deploy.sh b/examples/git.example.com/org/node-project/deploy.sh
index 465f378..d636fec 100644
--- a/examples/git.example.com/org/node-project/deploy.sh
+++ b/examples/git.example.com/org/node-project/deploy.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then
diff --git a/main.go b/main.go
index 6696715..33557df 100644
--- a/main.go
+++ b/main.go
@@ -150,7 +150,11 @@ func main() {
 			return
 		}
 		if 0 == len(runOpts.RepoList) {
-			runOpts.RepoList = os.Getenv("REPO_LIST")
+			runOpts.RepoList = os.Getenv("TRUST_REPOS")
+		}
+		if len(runOpts.RepoList) > 0 {
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, ",", " ")
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, "  ", " ")
 		}
 		if 0 == len(promotionList) {
 			promotionList = os.Getenv("PROMOTIONS")
@@ -446,6 +450,12 @@ func runHook(hook webhooks.Ref) {
 		"GIT_REPO_NAME=" + hook.Repo,
 		"GIT_CLONE_URL=" + hook.HTTPSURL,
 	}
+	for _, repo := range strings.Fields(runOpts.RepoList) {
+		if "*" == repo || repo == repoID {
+			envs = append(envs, "GIT_REPO_TRUSTED=true")
+			break
+		}
+	}
 	cmd.Env = append(env, envs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr