Add support for secrets to private repos PRs

config.example.ini

@@ -9,6 +9,9 @@ site-info=https://sourcehut.org
 # {{ site-name }}, {{ site-blurb }}
 site-blurb=the hacker's forge
 #
+# If this != production, we add a banner to each page
+environment=development
+#
 # Contact information for the site owners
 owner-name=Drew DeVault
 owner-email=sir@cmpwn.com

dispatchsrht-migrate

@@ -3,4 +3,3 @@ import dispatchsrht.alembic
 import srht.alembic
 from srht.database import alembic
 alembic("dispatch.sr.ht", dispatchsrht.alembic)
-alembic("dispatch.sr.ht", srht.alembic)

dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py

@@ -0,0 +1,26 @@
+"""Add secrets to GitHub PRs
+
+Revision ID: 986fd25d5184
+Revises: 5ad9b51c90f5
+Create Date: 2019-06-21 10:36:22.290121
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '986fd25d5184'
+down_revision = '5ad9b51c90f5'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    op.add_column('github_pr_to_build', sa.Column('private',
+            sa.Boolean, nullable=False, server_default='f'))
+    op.add_column('github_pr_to_build', sa.Column('secrets',
+            sa.Boolean, nullable=False, server_default='f'))
+
+
+def downgrade():
+    op.add_drop('github_pr_to_build', 'private')
+    op.add_drop('github_pr_to_build', 'secrets')

dispatchsrht/blueprints/html.py

@@ -1,4 +1,5 @@
 from flask import Blueprint, render_template, request, redirect, url_for, abort
+from flask import session
 from flask_login import current_user
 from srht.config import cfg
 from srht.database import db

dispatchsrht/tasks/github/github_pr_to_build.py

@@ -2,6 +2,7 @@ import sqlalchemy as sa
 import sqlalchemy_utils as sau
 from github import Github
 from flask import Blueprint, redirect, request, render_template, url_for, abort
+from flask import session
 from flask_login import current_user
 from jinja2 import Markup
 from uuid import UUID, uuid4
@@ -46,6 +47,8 @@ class GitHubPRToBuild(TaskDef):
         repo = sa.Column(sa.Unicode(1024), nullable=False)
         github_webhook_id = sa.Column(sa.Integer, nullable=False)
         automerge = sa.Column(sa.Boolean, nullable=False, server_default='f')
+        private = sa.Column(sa.Boolean, nullable=False, server_default='f')
+        secrets = sa.Column(sa.Boolean, nullable=False, server_default='f')
 
     blueprint = Blueprint("github_pr_to_build",
             __name__, template_folder="github_pr_to_build")
@@ -56,7 +59,19 @@ class GitHubPRToBuild(TaskDef):
         ).one_or_none()
         if not record:
             abort(404)
-        return render_template("github/edit.html", task=task, record=record)
+        auth = GitHubAuthorization.query.filter(
+            GitHubAuthorization.user_id == current_user.id
+        ).first()
+        github = Github(auth.oauth_token)
+        repo = github.get_repo(record.repo)
+        if repo.private != record.private:
+            record.private = repo.private
+            if not repo.private:
+                record.secrets = False
+            db.session.commit()
+        saved = session.pop("saved", False)
+        return render_template("github/edit.html",
+                task=task, record=record, saved=saved)
 
     def edit_POST(task):
         record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
@@ -64,8 +79,13 @@ class GitHubPRToBuild(TaskDef):
         ).one_or_none()
         valid = Validation(request)
         automerge = valid.optional("automerge", cls=bool, default=False)
+        secrets = valid.optional("secrets", cls=bool, default=False)
         record.automerge = bool(automerge)
+        record.secrets = bool(secrets)
+        if not record.private:
+            record.secrets = False
         db.session.commit()
+        session["saved"] = True
         return redirect(url_for("html.edit_task", task_id=task.id))
 
     @csrf_bypass
@@ -94,8 +114,11 @@ class GitHubPRToBuild(TaskDef):
             return (
                 "You have not authorized us to access your GitHub account", 401
             )
+        secrets = hook.secrets
+        if not base_repo["private"]:
+            secrets = False
         return submit_build(hook, head_repo, head, base_repo,
-                secrets=False, extras={
+                secrets=secrets, extras={
                     "automerge": hook.automerge, 
                     "pr": pr["number"]
                 }, env={
@@ -141,6 +164,7 @@ class GitHubPRToBuild(TaskDef):
         record.task_id = task.id
         record.github_webhook_id = -1
         record.repo = repo.full_name
+        record.private = repo.private
         db.session.add(record)
         db.session.flush()
         hook = repo.create_hook("web", {

dispatchsrht/templates/github/edit.html

@@ -56,14 +56,34 @@
     </div>
   </div>
   <div class="form-group">
+    {% if record.private %}
+    <div class="alert alert-danger">
+      <strong>Warning</strong>: Enable secrets for this hook with care. Anyone
+      who can submit a pull request will be able to extract secrets from the
+      build environment if you enable secrets for this repository.
+    </div>
+    {% endif %}
     <div class="form-check">
+      {% if not record.private %}
       <input class="form-check-input" type="checkbox" disabled />
       <label class="form-check-label">
         <s>Include secrets in builds</s>
       </label>
       <small class="form-text text-muted">
-        Secrets are disabled for pull requests.
+        Secrets are disabled for pull requests on public repos.
       </small>
+      {% else %}
+      <input
+        name="secrets"
+        id="secrets"
+        class="form-check-input"
+        type="checkbox"
+        {{"checked" if record.secrets else ""}}
+      />
+      <label for="secrets" class="form-check-label">
+        Include secrets in builds
+      </label>
+      {% endif %}
     </div>
   </div>
   {% endif %}
@@ -72,3 +92,8 @@
     {{icon("caret-right")}}
   </button>
 </form>
+{% if saved %}
+<div class="alert alert-success">
+  Changes saved.
+</div>
+{% endif %}