run deploy scripts from within trusted repos

.prettierrc

@@ -1 +1,3 @@
-{}
+{
+    "tabWidth": 2
+}

README.md

@@ -80,6 +80,7 @@ GIT_REF_NAME=master
 GIT_REF_TYPE=branch
 GIT_REPO_OWNER=my-org
 GIT_REPO_NAME=my-project
+GIT_REPO_TRUSTED=true
 ```
 
 ## API

examples/deploy.sh

@@ -3,13 +3,28 @@
 # The directory of this bash script
 base_dir="$(dirname "$(readlink -f "$0")")"
 
-if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]
+function deploy_local() {
-then
     echo "Running deplay script for ${GIT_REPO_ID}"
-  bash "${base_dir}/${GIT_REPO_ID}/deploy.sh"
+    bash -o errexit -o nounset "${base_dir}/${GIT_REPO_ID}/deploy.sh"
-  exit 0
+}
-fi
 
+function deploy_trusted() {
+    my_tmp="$(mktemp -d -t "tmp.XXXXXXXXXX")"
+    git clone --depth=1 "${GIT_CLONE_URL}" -b "${GIT_REF_NAME}" "${my_tmp}/${GIT_REPO_NAME}"
+
+    pushd "${my_tmp}/${GIT_REPO_NAME}"
+        if [[ -f ".gitdeploy/deploy.sh" ]]
+        then
+            bash -o errexit -o nounset ".gitdeploy/deploy.sh"
+        else
+            echo "Missing ${GIT_REPO_ID}/.gitdeploy/deploy.sh"
+        fi
+    popd
+
+    rm -rf "${my_tmp}/${GIT_REPO_NAME}/"
+}
+
+function show_help() {
     echo ""
     echo "Nothing to do for ${GIT_REPO_ID}"
     echo ""
@@ -26,14 +41,28 @@ echo ""
     echo "You can use any of these ENVs in your deploy script:"
 
     # These environment variables are set by the caller
-my_envs='GIT_REF_NAME
+    my_envs='GIT_REPO_ID
-GIT_REF_TYPE
+    GIT_CLONE_URL
-GIT_REPO_ID
     GIT_REPO_OWNER
     GIT_REPO_NAME
-GIT_CLONE_URL'
+    GIT_REF_TYPE
+    GIT_REF_NAME
+    GIT_REPO_TRUSTED
+    '
     for x in $my_envs; do
         echo "$x=${!x}"
     done
 
     sleep 1
+}
+
+if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]; then
+    deploy_local
+    exit 0
+elif [[ "true" == "${GIT_REPO_TRUSTED}" ]]; then
+    deploy_trusted
+    exit 0
+else
+    show_help
+    exit 1
+fi

examples/git.example.com/org/go-project/deploy.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then

examples/git.example.com/org/node-project/deploy.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e
 
 if [[ "${GIT_REF_NAME}" != "master" ]]
 then

main.go

@@ -150,7 +150,11 @@ func main() {
 			return
 		}
 		if 0 == len(runOpts.RepoList) {
-			runOpts.RepoList = os.Getenv("REPO_LIST")
+			runOpts.RepoList = os.Getenv("TRUST_REPOS")
+		}
+		if len(runOpts.RepoList) > 0 {
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, ",", " ")
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, "  ", " ")
 		}
 		if 0 == len(promotionList) {
 			promotionList = os.Getenv("PROMOTIONS")
@@ -446,6 +450,12 @@ func runHook(hook webhooks.Ref) {
 		"GIT_REPO_NAME=" + hook.Repo,
 		"GIT_CLONE_URL=" + hook.HTTPSURL,
 	}
+	for _, repo := range strings.Fields(runOpts.RepoList) {
+		if "*" == repo || repo == repoID {
+			envs = append(envs, "GIT_REPO_TRUSTED=true")
+			break
+		}
+	}
 	cmd.Env = append(env, envs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr