~emersion/hottub

744dfe8f99456de69f5abd8774b01a433c9c4bba — Lixquid 7 months ago 362fefa
Includes auto-secrets on owner submitted jobs

Note that this requires the additional SECRETS:RO permission on the
OAuth or Personal Access Token used to communicate with sourcehut.
3 files changed, 11 insertions(+), 5 deletions(-)

M buildssrht/gql.go
M buildssrht/operations.graphql
M main.go
M buildssrht/gql.go => buildssrht/gql.go +2 -2
@@ 526,8 526,8 @@ type WebhookTriggerInput struct {
	Url string `json:"url"`
}

func SubmitJob(client *gqlclient.Client, ctx context.Context, manifest string, tags []string, note *string, includeSecrets bool, visibility Visibility) (submit *Job, err error) {
	op := gqlclient.NewOperation("mutation submitJob ($manifest: String!, $tags: [String!], $note: String, $includeSecrets: Boolean!, $visibility: Visibility!) {\n\tsubmit(manifest: $manifest, secrets: $includeSecrets, tags: $tags, note: $note, visibility: $visibility) {\n\t\tid\n\t\towner {\n\t\t\tcanonicalName\n\t\t}\n\t}\n}\n")
func SubmitJob(client *gqlclient.Client, ctx context.Context, manifest string, tags []string, note *string, includeSecrets *bool, visibility Visibility) (submit *Job, err error) {
	op := gqlclient.NewOperation("mutation submitJob ($manifest: String!, $tags: [String!], $note: String, $includeSecrets: Boolean, $visibility: Visibility!) {\n\tsubmit(manifest: $manifest, secrets: $includeSecrets, tags: $tags, note: $note, visibility: $visibility) {\n\t\tid\n\t\towner {\n\t\t\tcanonicalName\n\t\t}\n\t}\n}\n")
	op.Var("manifest", manifest)
	op.Var("tags", tags)
	op.Var("note", note)

M buildssrht/operations.graphql => buildssrht/operations.graphql +1 -1
@@ 1,4 1,4 @@
mutation submitJob($manifest: String!, $tags: [String!], $note: String, $includeSecrets: Boolean!, $visibility: Visibility!) {
mutation submitJob($manifest: String!, $tags: [String!], $note: String, $includeSecrets: Boolean, $visibility: Visibility!) {
    submit(manifest: $manifest, secrets: $includeSecrets, tags: $tags, note: $note, visibility: $visibility) {
        id
        owner {

M main.go => main.go +8 -2
@@ 507,8 507,14 @@ func startJob(ctx *checkSuiteContext, filename string) error {

[%v]: %v`, title, shortHash, commit.Author.GetName(), shortHash, commitURL)

	// TODO: use ctx.ownerSubmitted and token scope to enable secrets
	job, err := buildssrht.SubmitJob(ctx.srht.GQL, ctx, string(manifestBuf), tags, &note, false, visibility)
	// Use automatic secrets (nil) if the account owner submitted the job
	var includeSecrets *bool = nil
	if !ctx.ownerSubmitted {
		falseValue := false
		includeSecrets = &falseValue
	}

	job, err := buildssrht.SubmitJob(ctx.srht.GQL, ctx, string(manifestBuf), tags, &note, includeSecrets, visibility)
	if err != nil {
		var httpErr *gqlclient.HTTPError
		if errors.As(err, &httpErr) && httpErr.StatusCode == http.StatusForbidden {