run deploy scripts from within trusted repos

2020-10-20 22:44:31 -06:00 · 2020-10-20 22:44:31 -06:00 · 0ee8194ac7
parent d9093969f9
commit 0ee8194ac7
6 changed files with 79 additions and 35 deletions
--- a/.prettierrc
+++ b/.prettierrc
@ -1 +1,3 @@
-{}
+{
+    "tabWidth": 2
+}
--- a/README.md
+++ b/README.md
@ -80,6 +80,7 @@ GIT_REF_NAME=master
 GIT_REF_TYPE=branch
 GIT_REPO_OWNER=my-org
 GIT_REPO_NAME=my-project
+GIT_REPO_TRUSTED=true
 ```

 ## API
--- a/examples/deploy.sh
+++ b/examples/deploy.sh
@ -3,13 +3,28 @@
 # The directory of this bash script
 base_dir="$(dirname "$(readlink -f "$0")")"

-if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]
-then
+function deploy_local() {
    echo "Running deplay script for ${GIT_REPO_ID}"
-  bash "${base_dir}/${GIT_REPO_ID}/deploy.sh"
-  exit 0
-fi
+    bash -o errexit -o nounset "${base_dir}/${GIT_REPO_ID}/deploy.sh"
+}

+function deploy_trusted() {
+    my_tmp="$(mktemp -d -t "tmp.XXXXXXXXXX")"
+    git clone --depth=1 "${GIT_CLONE_URL}" -b "${GIT_REF_NAME}" "${my_tmp}/${GIT_REPO_NAME}"
+
+    pushd "${my_tmp}/${GIT_REPO_NAME}"
+        if [[ -f ".gitdeploy/deploy.sh" ]]
+        then
+            bash -o errexit -o nounset ".gitdeploy/deploy.sh"
+        else
+            echo "Missing ${GIT_REPO_ID}/.gitdeploy/deploy.sh"
+        fi
+    popd
+
+    rm -rf "${my_tmp}/${GIT_REPO_NAME}/"
+}
+
+function show_help() {
    echo ""
    echo "Nothing to do for ${GIT_REPO_ID}"
    echo ""
@ -26,14 +41,28 @@ echo ""
    echo "You can use any of these ENVs in your deploy script:"

    # These environment variables are set by the caller
-my_envs='GIT_REF_NAME
-GIT_REF_TYPE
-GIT_REPO_ID
+    my_envs='GIT_REPO_ID
+    GIT_CLONE_URL
    GIT_REPO_OWNER
    GIT_REPO_NAME
-GIT_CLONE_URL'
+    GIT_REF_TYPE
+    GIT_REF_NAME
+    GIT_REPO_TRUSTED
+    '
    for x in $my_envs; do
        echo "$x=${!x}"
    done

    sleep 1
+}
+
+if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]; then
+    deploy_local
+    exit 0
+elif [[ "true" == "${GIT_REPO_TRUSTED}" ]]; then
+    deploy_trusted
+    exit 0
+else
+    show_help
+    exit 1
+fi
--- a/examples/git.example.com/org/go-project/deploy.sh
+++ b/examples/git.example.com/org/go-project/deploy.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e

 if [[ "${GIT_REF_NAME}" != "master" ]]
 then
--- a/examples/git.example.com/org/node-project/deploy.sh
+++ b/examples/git.example.com/org/node-project/deploy.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 set -u
+set -e

 if [[ "${GIT_REF_NAME}" != "master" ]]
 then
--- a/main.go
+++ b/main.go
@ -150,7 +150,11 @@ func main() {
 			return
 		}
 		if 0 == len(runOpts.RepoList) {
-			runOpts.RepoList = os.Getenv("REPO_LIST")
+			runOpts.RepoList = os.Getenv("TRUST_REPOS")
+		}
+		if len(runOpts.RepoList) > 0 {
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, ",", " ")
+			runOpts.RepoList = strings.ReplaceAll(runOpts.RepoList, "  ", " ")
 		}
 		if 0 == len(promotionList) {
 			promotionList = os.Getenv("PROMOTIONS")
@ -446,6 +450,12 @@ func runHook(hook webhooks.Ref) {
 		"GIT_REPO_NAME=" + hook.Repo,
 		"GIT_CLONE_URL=" + hook.HTTPSURL,
 	}
+	for _, repo := range strings.Fields(runOpts.RepoList) {
+		if "*" == repo || repo == repoID {
+			envs = append(envs, "GIT_REPO_TRUSTED=true")
+			break
+		}
+	}
 	cmd.Env = append(env, envs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr