run deploy scripts from within trusted repos

This commit is contained in:
AJ ONeal 2020-10-20 22:44:31 -06:00
parent d9093969f9
commit 0ee8194ac7
6 changed files with 79 additions and 35 deletions

View File

@ -1 +1,3 @@
{} {
"tabWidth": 2
}

View File

@ -80,6 +80,7 @@ GIT_REF_NAME=master
GIT_REF_TYPE=branch GIT_REF_TYPE=branch
GIT_REPO_OWNER=my-org GIT_REPO_OWNER=my-org
GIT_REPO_NAME=my-project GIT_REPO_NAME=my-project
GIT_REPO_TRUSTED=true
``` ```
## API ## API

View File

@ -3,37 +3,66 @@
# The directory of this bash script # The directory of this bash script
base_dir="$(dirname "$(readlink -f "$0")")" base_dir="$(dirname "$(readlink -f "$0")")"
if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]] function deploy_local() {
then echo "Running deplay script for ${GIT_REPO_ID}"
echo "Running deplay script for ${GIT_REPO_ID}" bash -o errexit -o nounset "${base_dir}/${GIT_REPO_ID}/deploy.sh"
bash "${base_dir}/${GIT_REPO_ID}/deploy.sh" }
exit 0
function deploy_trusted() {
my_tmp="$(mktemp -d -t "tmp.XXXXXXXXXX")"
git clone --depth=1 "${GIT_CLONE_URL}" -b "${GIT_REF_NAME}" "${my_tmp}/${GIT_REPO_NAME}"
pushd "${my_tmp}/${GIT_REPO_NAME}"
if [[ -f ".gitdeploy/deploy.sh" ]]
then
bash -o errexit -o nounset ".gitdeploy/deploy.sh"
else
echo "Missing ${GIT_REPO_ID}/.gitdeploy/deploy.sh"
fi
popd
rm -rf "${my_tmp}/${GIT_REPO_NAME}/"
}
function show_help() {
echo ""
echo "Nothing to do for ${GIT_REPO_ID}"
echo ""
echo "Want to set it up? Try this:"
echo " mkdir -p ${base_dir}/${GIT_REPO_ID}"
echo " rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
echo ""
echo "Then edit the example deploy.sh to do what you need."
echo " vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
echo ""
echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
echo " ls ${base_dir}/git.example.com/org/"
echo ""
echo "You can use any of these ENVs in your deploy script:"
# These environment variables are set by the caller
my_envs='GIT_REPO_ID
GIT_CLONE_URL
GIT_REPO_OWNER
GIT_REPO_NAME
GIT_REF_TYPE
GIT_REF_NAME
GIT_REPO_TRUSTED
'
for x in $my_envs; do
echo "$x=${!x}"
done
sleep 1
}
if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]; then
deploy_local
exit 0
elif [[ "true" == "${GIT_REPO_TRUSTED}" ]]; then
deploy_trusted
exit 0
else
show_help
exit 1
fi fi
echo ""
echo "Nothing to do for ${GIT_REPO_ID}"
echo ""
echo "Want to set it up? Try this:"
echo " mkdir -p ${base_dir}/${GIT_REPO_ID}"
echo " rsync -av ${base_dir}/git.example.com/org/project/ ${base_dir}/${GIT_REPO_ID}/"
echo ""
echo "Then edit the example deploy.sh to do what you need."
echo " vim ${base_dir}/${GIT_REPO_ID}/deploy.sh"
echo ""
echo "You may also like to take a look at the Go, Node.js, and other starter templates:"
echo " ls ${base_dir}/git.example.com/org/"
echo ""
echo "You can use any of these ENVs in your deploy script:"
# These environment variables are set by the caller
my_envs='GIT_REF_NAME
GIT_REF_TYPE
GIT_REPO_ID
GIT_REPO_OWNER
GIT_REPO_NAME
GIT_CLONE_URL'
for x in $my_envs; do
echo "$x=${!x}"
done
sleep 1

View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
set -u set -u
set -e
if [[ "${GIT_REF_NAME}" != "master" ]] if [[ "${GIT_REF_NAME}" != "master" ]]
then then

View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
set -u set -u
set -e
if [[ "${GIT_REF_NAME}" != "master" ]] if [[ "${GIT_REF_NAME}" != "master" ]]
then then

12
main.go
View File

@ -150,7 +150,11 @@ func main() {
return return
} }
if 0 == len(runOpts.RepoList) { if 0 == len(runOpts.RepoList) {
runOpts.RepoList = os.Getenv("REPO_LIST") runOpts.RepoList = os.Getenv("TRUST_REPOS")
}
if len(runOpts.RepoList) > 0 {
runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, ",", " ")
runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, " ", " ")
} }
if 0 == len(promotionList) { if 0 == len(promotionList) {
promotionList = os.Getenv("PROMOTIONS") promotionList = os.Getenv("PROMOTIONS")
@ -446,6 +450,12 @@ func runHook(hook webhooks.Ref) {
"GIT_REPO_NAME=" + hook.Repo, "GIT_REPO_NAME=" + hook.Repo,
"GIT_CLONE_URL=" + hook.HTTPSURL, "GIT_CLONE_URL=" + hook.HTTPSURL,
} }
for _, repo := range strings.Fields(runOpts.RepoList) {
if "*" == repo || repo == repoID {
envs = append(envs, "GIT_REPO_TRUSTED=true")
break
}
}
cmd.Env = append(env, envs...) cmd.Env = append(env, envs...)
cmd.Stdout = os.Stdout cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr cmd.Stderr = os.Stderr