Add support for secrets to private repos PRs
This commit is contained in:
parent
e4b9f89a68
commit
e140b7ef21
|
@ -9,6 +9,9 @@ site-info=https://sourcehut.org
|
|||
# {{ site-name }}, {{ site-blurb }}
|
||||
site-blurb=the hacker's forge
|
||||
#
|
||||
# If this != production, we add a banner to each page
|
||||
environment=development
|
||||
#
|
||||
# Contact information for the site owners
|
||||
owner-name=Drew DeVault
|
||||
owner-email=sir@cmpwn.com
|
||||
|
|
|
@ -3,4 +3,3 @@ import dispatchsrht.alembic
|
|||
import srht.alembic
|
||||
from srht.database import alembic
|
||||
alembic("dispatch.sr.ht", dispatchsrht.alembic)
|
||||
alembic("dispatch.sr.ht", srht.alembic)
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
"""Add secrets to GitHub PRs
|
||||
|
||||
Revision ID: 986fd25d5184
|
||||
Revises: 5ad9b51c90f5
|
||||
Create Date: 2019-06-21 10:36:22.290121
|
||||
|
||||
"""
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = '986fd25d5184'
|
||||
down_revision = '5ad9b51c90f5'
|
||||
|
||||
from alembic import op
|
||||
import sqlalchemy as sa
|
||||
|
||||
|
||||
def upgrade():
|
||||
op.add_column('github_pr_to_build', sa.Column('private',
|
||||
sa.Boolean, nullable=False, server_default='f'))
|
||||
op.add_column('github_pr_to_build', sa.Column('secrets',
|
||||
sa.Boolean, nullable=False, server_default='f'))
|
||||
|
||||
|
||||
def downgrade():
|
||||
op.add_drop('github_pr_to_build', 'private')
|
||||
op.add_drop('github_pr_to_build', 'secrets')
|
|
@ -1,4 +1,5 @@
|
|||
from flask import Blueprint, render_template, request, redirect, url_for, abort
|
||||
from flask import session
|
||||
from flask_login import current_user
|
||||
from srht.config import cfg
|
||||
from srht.database import db
|
||||
|
|
|
@ -2,6 +2,7 @@ import sqlalchemy as sa
|
|||
import sqlalchemy_utils as sau
|
||||
from github import Github
|
||||
from flask import Blueprint, redirect, request, render_template, url_for, abort
|
||||
from flask import session
|
||||
from flask_login import current_user
|
||||
from jinja2 import Markup
|
||||
from uuid import UUID, uuid4
|
||||
|
@ -46,6 +47,8 @@ class GitHubPRToBuild(TaskDef):
|
|||
repo = sa.Column(sa.Unicode(1024), nullable=False)
|
||||
github_webhook_id = sa.Column(sa.Integer, nullable=False)
|
||||
automerge = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||
private = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||
secrets = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||
|
||||
blueprint = Blueprint("github_pr_to_build",
|
||||
__name__, template_folder="github_pr_to_build")
|
||||
|
@ -56,7 +59,19 @@ class GitHubPRToBuild(TaskDef):
|
|||
).one_or_none()
|
||||
if not record:
|
||||
abort(404)
|
||||
return render_template("github/edit.html", task=task, record=record)
|
||||
auth = GitHubAuthorization.query.filter(
|
||||
GitHubAuthorization.user_id == current_user.id
|
||||
).first()
|
||||
github = Github(auth.oauth_token)
|
||||
repo = github.get_repo(record.repo)
|
||||
if repo.private != record.private:
|
||||
record.private = repo.private
|
||||
if not repo.private:
|
||||
record.secrets = False
|
||||
db.session.commit()
|
||||
saved = session.pop("saved", False)
|
||||
return render_template("github/edit.html",
|
||||
task=task, record=record, saved=saved)
|
||||
|
||||
def edit_POST(task):
|
||||
record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
|
||||
|
@ -64,8 +79,13 @@ class GitHubPRToBuild(TaskDef):
|
|||
).one_or_none()
|
||||
valid = Validation(request)
|
||||
automerge = valid.optional("automerge", cls=bool, default=False)
|
||||
secrets = valid.optional("secrets", cls=bool, default=False)
|
||||
record.automerge = bool(automerge)
|
||||
record.secrets = bool(secrets)
|
||||
if not record.private:
|
||||
record.secrets = False
|
||||
db.session.commit()
|
||||
session["saved"] = True
|
||||
return redirect(url_for("html.edit_task", task_id=task.id))
|
||||
|
||||
@csrf_bypass
|
||||
|
@ -94,8 +114,11 @@ class GitHubPRToBuild(TaskDef):
|
|||
return (
|
||||
"You have not authorized us to access your GitHub account", 401
|
||||
)
|
||||
secrets = hook.secrets
|
||||
if not base_repo["private"]:
|
||||
secrets = False
|
||||
return submit_build(hook, head_repo, head, base_repo,
|
||||
secrets=False, extras={
|
||||
secrets=secrets, extras={
|
||||
"automerge": hook.automerge,
|
||||
"pr": pr["number"]
|
||||
}, env={
|
||||
|
@ -141,6 +164,7 @@ class GitHubPRToBuild(TaskDef):
|
|||
record.task_id = task.id
|
||||
record.github_webhook_id = -1
|
||||
record.repo = repo.full_name
|
||||
record.private = repo.private
|
||||
db.session.add(record)
|
||||
db.session.flush()
|
||||
hook = repo.create_hook("web", {
|
||||
|
|
|
@ -56,14 +56,34 @@
|
|||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
{% if record.private %}
|
||||
<div class="alert alert-danger">
|
||||
<strong>Warning</strong>: Enable secrets for this hook with care. Anyone
|
||||
who can submit a pull request will be able to extract secrets from the
|
||||
build environment if you enable secrets for this repository.
|
||||
</div>
|
||||
{% endif %}
|
||||
<div class="form-check">
|
||||
{% if not record.private %}
|
||||
<input class="form-check-input" type="checkbox" disabled />
|
||||
<label class="form-check-label">
|
||||
<s>Include secrets in builds</s>
|
||||
</label>
|
||||
<small class="form-text text-muted">
|
||||
Secrets are disabled for pull requests.
|
||||
Secrets are disabled for pull requests on public repos.
|
||||
</small>
|
||||
{% else %}
|
||||
<input
|
||||
name="secrets"
|
||||
id="secrets"
|
||||
class="form-check-input"
|
||||
type="checkbox"
|
||||
{{"checked" if record.secrets else ""}}
|
||||
/>
|
||||
<label for="secrets" class="form-check-label">
|
||||
Include secrets in builds
|
||||
</label>
|
||||
{% endif %}
|
||||
</div>
|
||||
</div>
|
||||
{% endif %}
|
||||
|
@ -72,3 +92,8 @@
|
|||
{{icon("caret-right")}}
|
||||
</button>
|
||||
</form>
|
||||
{% if saved %}
|
||||
<div class="alert alert-success">
|
||||
Changes saved.
|
||||
</div>
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in New Issue