Add support for secrets to private repos PRs
This commit is contained in:
parent
e4b9f89a68
commit
e140b7ef21
|
@ -9,6 +9,9 @@ site-info=https://sourcehut.org
|
||||||
# {{ site-name }}, {{ site-blurb }}
|
# {{ site-name }}, {{ site-blurb }}
|
||||||
site-blurb=the hacker's forge
|
site-blurb=the hacker's forge
|
||||||
#
|
#
|
||||||
|
# If this != production, we add a banner to each page
|
||||||
|
environment=development
|
||||||
|
#
|
||||||
# Contact information for the site owners
|
# Contact information for the site owners
|
||||||
owner-name=Drew DeVault
|
owner-name=Drew DeVault
|
||||||
owner-email=sir@cmpwn.com
|
owner-email=sir@cmpwn.com
|
||||||
|
|
|
@ -3,4 +3,3 @@ import dispatchsrht.alembic
|
||||||
import srht.alembic
|
import srht.alembic
|
||||||
from srht.database import alembic
|
from srht.database import alembic
|
||||||
alembic("dispatch.sr.ht", dispatchsrht.alembic)
|
alembic("dispatch.sr.ht", dispatchsrht.alembic)
|
||||||
alembic("dispatch.sr.ht", srht.alembic)
|
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
"""Add secrets to GitHub PRs
|
||||||
|
|
||||||
|
Revision ID: 986fd25d5184
|
||||||
|
Revises: 5ad9b51c90f5
|
||||||
|
Create Date: 2019-06-21 10:36:22.290121
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
# revision identifiers, used by Alembic.
|
||||||
|
revision = '986fd25d5184'
|
||||||
|
down_revision = '5ad9b51c90f5'
|
||||||
|
|
||||||
|
from alembic import op
|
||||||
|
import sqlalchemy as sa
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade():
|
||||||
|
op.add_column('github_pr_to_build', sa.Column('private',
|
||||||
|
sa.Boolean, nullable=False, server_default='f'))
|
||||||
|
op.add_column('github_pr_to_build', sa.Column('secrets',
|
||||||
|
sa.Boolean, nullable=False, server_default='f'))
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade():
|
||||||
|
op.add_drop('github_pr_to_build', 'private')
|
||||||
|
op.add_drop('github_pr_to_build', 'secrets')
|
|
@ -1,4 +1,5 @@
|
||||||
from flask import Blueprint, render_template, request, redirect, url_for, abort
|
from flask import Blueprint, render_template, request, redirect, url_for, abort
|
||||||
|
from flask import session
|
||||||
from flask_login import current_user
|
from flask_login import current_user
|
||||||
from srht.config import cfg
|
from srht.config import cfg
|
||||||
from srht.database import db
|
from srht.database import db
|
||||||
|
|
|
@ -2,6 +2,7 @@ import sqlalchemy as sa
|
||||||
import sqlalchemy_utils as sau
|
import sqlalchemy_utils as sau
|
||||||
from github import Github
|
from github import Github
|
||||||
from flask import Blueprint, redirect, request, render_template, url_for, abort
|
from flask import Blueprint, redirect, request, render_template, url_for, abort
|
||||||
|
from flask import session
|
||||||
from flask_login import current_user
|
from flask_login import current_user
|
||||||
from jinja2 import Markup
|
from jinja2 import Markup
|
||||||
from uuid import UUID, uuid4
|
from uuid import UUID, uuid4
|
||||||
|
@ -46,6 +47,8 @@ class GitHubPRToBuild(TaskDef):
|
||||||
repo = sa.Column(sa.Unicode(1024), nullable=False)
|
repo = sa.Column(sa.Unicode(1024), nullable=False)
|
||||||
github_webhook_id = sa.Column(sa.Integer, nullable=False)
|
github_webhook_id = sa.Column(sa.Integer, nullable=False)
|
||||||
automerge = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
automerge = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||||
|
private = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||||
|
secrets = sa.Column(sa.Boolean, nullable=False, server_default='f')
|
||||||
|
|
||||||
blueprint = Blueprint("github_pr_to_build",
|
blueprint = Blueprint("github_pr_to_build",
|
||||||
__name__, template_folder="github_pr_to_build")
|
__name__, template_folder="github_pr_to_build")
|
||||||
|
@ -56,7 +59,19 @@ class GitHubPRToBuild(TaskDef):
|
||||||
).one_or_none()
|
).one_or_none()
|
||||||
if not record:
|
if not record:
|
||||||
abort(404)
|
abort(404)
|
||||||
return render_template("github/edit.html", task=task, record=record)
|
auth = GitHubAuthorization.query.filter(
|
||||||
|
GitHubAuthorization.user_id == current_user.id
|
||||||
|
).first()
|
||||||
|
github = Github(auth.oauth_token)
|
||||||
|
repo = github.get_repo(record.repo)
|
||||||
|
if repo.private != record.private:
|
||||||
|
record.private = repo.private
|
||||||
|
if not repo.private:
|
||||||
|
record.secrets = False
|
||||||
|
db.session.commit()
|
||||||
|
saved = session.pop("saved", False)
|
||||||
|
return render_template("github/edit.html",
|
||||||
|
task=task, record=record, saved=saved)
|
||||||
|
|
||||||
def edit_POST(task):
|
def edit_POST(task):
|
||||||
record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
|
record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
|
||||||
|
@ -64,8 +79,13 @@ class GitHubPRToBuild(TaskDef):
|
||||||
).one_or_none()
|
).one_or_none()
|
||||||
valid = Validation(request)
|
valid = Validation(request)
|
||||||
automerge = valid.optional("automerge", cls=bool, default=False)
|
automerge = valid.optional("automerge", cls=bool, default=False)
|
||||||
|
secrets = valid.optional("secrets", cls=bool, default=False)
|
||||||
record.automerge = bool(automerge)
|
record.automerge = bool(automerge)
|
||||||
|
record.secrets = bool(secrets)
|
||||||
|
if not record.private:
|
||||||
|
record.secrets = False
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
|
session["saved"] = True
|
||||||
return redirect(url_for("html.edit_task", task_id=task.id))
|
return redirect(url_for("html.edit_task", task_id=task.id))
|
||||||
|
|
||||||
@csrf_bypass
|
@csrf_bypass
|
||||||
|
@ -94,8 +114,11 @@ class GitHubPRToBuild(TaskDef):
|
||||||
return (
|
return (
|
||||||
"You have not authorized us to access your GitHub account", 401
|
"You have not authorized us to access your GitHub account", 401
|
||||||
)
|
)
|
||||||
|
secrets = hook.secrets
|
||||||
|
if not base_repo["private"]:
|
||||||
|
secrets = False
|
||||||
return submit_build(hook, head_repo, head, base_repo,
|
return submit_build(hook, head_repo, head, base_repo,
|
||||||
secrets=False, extras={
|
secrets=secrets, extras={
|
||||||
"automerge": hook.automerge,
|
"automerge": hook.automerge,
|
||||||
"pr": pr["number"]
|
"pr": pr["number"]
|
||||||
}, env={
|
}, env={
|
||||||
|
@ -141,6 +164,7 @@ class GitHubPRToBuild(TaskDef):
|
||||||
record.task_id = task.id
|
record.task_id = task.id
|
||||||
record.github_webhook_id = -1
|
record.github_webhook_id = -1
|
||||||
record.repo = repo.full_name
|
record.repo = repo.full_name
|
||||||
|
record.private = repo.private
|
||||||
db.session.add(record)
|
db.session.add(record)
|
||||||
db.session.flush()
|
db.session.flush()
|
||||||
hook = repo.create_hook("web", {
|
hook = repo.create_hook("web", {
|
||||||
|
|
|
@ -56,14 +56,34 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
|
{% if record.private %}
|
||||||
|
<div class="alert alert-danger">
|
||||||
|
<strong>Warning</strong>: Enable secrets for this hook with care. Anyone
|
||||||
|
who can submit a pull request will be able to extract secrets from the
|
||||||
|
build environment if you enable secrets for this repository.
|
||||||
|
</div>
|
||||||
|
{% endif %}
|
||||||
<div class="form-check">
|
<div class="form-check">
|
||||||
|
{% if not record.private %}
|
||||||
<input class="form-check-input" type="checkbox" disabled />
|
<input class="form-check-input" type="checkbox" disabled />
|
||||||
<label class="form-check-label">
|
<label class="form-check-label">
|
||||||
<s>Include secrets in builds</s>
|
<s>Include secrets in builds</s>
|
||||||
</label>
|
</label>
|
||||||
<small class="form-text text-muted">
|
<small class="form-text text-muted">
|
||||||
Secrets are disabled for pull requests.
|
Secrets are disabled for pull requests on public repos.
|
||||||
</small>
|
</small>
|
||||||
|
{% else %}
|
||||||
|
<input
|
||||||
|
name="secrets"
|
||||||
|
id="secrets"
|
||||||
|
class="form-check-input"
|
||||||
|
type="checkbox"
|
||||||
|
{{"checked" if record.secrets else ""}}
|
||||||
|
/>
|
||||||
|
<label for="secrets" class="form-check-label">
|
||||||
|
Include secrets in builds
|
||||||
|
</label>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -72,3 +92,8 @@
|
||||||
{{icon("caret-right")}}
|
{{icon("caret-right")}}
|
||||||
</button>
|
</button>
|
||||||
</form>
|
</form>
|
||||||
|
{% if saved %}
|
||||||
|
<div class="alert alert-success">
|
||||||
|
Changes saved.
|
||||||
|
</div>
|
||||||
|
{% endif %}
|
||||||
|
|
Loading…
Reference in New Issue