~sircmpwn/dispatch.sr.ht

e140b7ef212251db703209f02c6a3312c56ac497 — Drew DeVault 9 months ago e4b9f89 0.10.0
Add support for secrets to private repos PRs
M config.example.ini => config.example.ini +3 -0
@@ 9,6 9,9 @@ site-info=https://sourcehut.org
# {{ site-name }}, {{ site-blurb }}
site-blurb=the hacker's forge
#
# If this != production, we add a banner to each page
environment=development
#
# Contact information for the site owners
owner-name=Drew DeVault
owner-email=sir@cmpwn.com

M dispatchsrht-migrate => dispatchsrht-migrate +0 -1
@@ 3,4 3,3 @@ import dispatchsrht.alembic
import srht.alembic
from srht.database import alembic
alembic("dispatch.sr.ht", dispatchsrht.alembic)
alembic("dispatch.sr.ht", srht.alembic)

A dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py => dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py +26 -0
@@ 0,0 1,26 @@
"""Add secrets to GitHub PRs

Revision ID: 986fd25d5184
Revises: 5ad9b51c90f5
Create Date: 2019-06-21 10:36:22.290121

"""

# revision identifiers, used by Alembic.
revision = '986fd25d5184'
down_revision = '5ad9b51c90f5'

from alembic import op
import sqlalchemy as sa


def upgrade():
    op.add_column('github_pr_to_build', sa.Column('private',
            sa.Boolean, nullable=False, server_default='f'))
    op.add_column('github_pr_to_build', sa.Column('secrets',
            sa.Boolean, nullable=False, server_default='f'))


def downgrade():
    op.add_drop('github_pr_to_build', 'private')
    op.add_drop('github_pr_to_build', 'secrets')

M dispatchsrht/blueprints/html.py => dispatchsrht/blueprints/html.py +1 -0
@@ 1,4 1,5 @@
from flask import Blueprint, render_template, request, redirect, url_for, abort
from flask import session
from flask_login import current_user
from srht.config import cfg
from srht.database import db

M dispatchsrht/tasks/github/github_pr_to_build.py => dispatchsrht/tasks/github/github_pr_to_build.py +26 -2
@@ 2,6 2,7 @@ import sqlalchemy as sa
import sqlalchemy_utils as sau
from github import Github
from flask import Blueprint, redirect, request, render_template, url_for, abort
from flask import session
from flask_login import current_user
from jinja2 import Markup
from uuid import UUID, uuid4


@@ 46,6 47,8 @@ class GitHubPRToBuild(TaskDef):
        repo = sa.Column(sa.Unicode(1024), nullable=False)
        github_webhook_id = sa.Column(sa.Integer, nullable=False)
        automerge = sa.Column(sa.Boolean, nullable=False, server_default='f')
        private = sa.Column(sa.Boolean, nullable=False, server_default='f')
        secrets = sa.Column(sa.Boolean, nullable=False, server_default='f')

    blueprint = Blueprint("github_pr_to_build",
            __name__, template_folder="github_pr_to_build")


@@ 56,7 59,19 @@ class GitHubPRToBuild(TaskDef):
        ).one_or_none()
        if not record:
            abort(404)
        return render_template("github/edit.html", task=task, record=record)
        auth = GitHubAuthorization.query.filter(
            GitHubAuthorization.user_id == current_user.id
        ).first()
        github = Github(auth.oauth_token)
        repo = github.get_repo(record.repo)
        if repo.private != record.private:
            record.private = repo.private
            if not repo.private:
                record.secrets = False
            db.session.commit()
        saved = session.pop("saved", False)
        return render_template("github/edit.html",
                task=task, record=record, saved=saved)

    def edit_POST(task):
        record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(


@@ 64,8 79,13 @@ class GitHubPRToBuild(TaskDef):
        ).one_or_none()
        valid = Validation(request)
        automerge = valid.optional("automerge", cls=bool, default=False)
        secrets = valid.optional("secrets", cls=bool, default=False)
        record.automerge = bool(automerge)
        record.secrets = bool(secrets)
        if not record.private:
            record.secrets = False
        db.session.commit()
        session["saved"] = True
        return redirect(url_for("html.edit_task", task_id=task.id))

    @csrf_bypass


@@ 94,8 114,11 @@ class GitHubPRToBuild(TaskDef):
            return (
                "You have not authorized us to access your GitHub account", 401
            )
        secrets = hook.secrets
        if not base_repo["private"]:
            secrets = False
        return submit_build(hook, head_repo, head, base_repo,
                secrets=False, extras={
                secrets=secrets, extras={
                    "automerge": hook.automerge, 
                    "pr": pr["number"]
                }, env={


@@ 141,6 164,7 @@ class GitHubPRToBuild(TaskDef):
        record.task_id = task.id
        record.github_webhook_id = -1
        record.repo = repo.full_name
        record.private = repo.private
        db.session.add(record)
        db.session.flush()
        hook = repo.create_hook("web", {

M dispatchsrht/templates/github/edit.html => dispatchsrht/templates/github/edit.html +26 -1
@@ 56,14 56,34 @@
    </div>
  </div>
  <div class="form-group">
    {% if record.private %}
    <div class="alert alert-danger">
      <strong>Warning</strong>: Enable secrets for this hook with care. Anyone
      who can submit a pull request will be able to extract secrets from the
      build environment if you enable secrets for this repository.
    </div>
    {% endif %}
    <div class="form-check">
      {% if not record.private %}
      <input class="form-check-input" type="checkbox" disabled />
      <label class="form-check-label">
        <s>Include secrets in builds</s>
      </label>
      <small class="form-text text-muted">
        Secrets are disabled for pull requests.
        Secrets are disabled for pull requests on public repos.
      </small>
      {% else %}
      <input
        name="secrets"
        id="secrets"
        class="form-check-input"
        type="checkbox"
        {{"checked" if record.secrets else ""}}
      />
      <label for="secrets" class="form-check-label">
        Include secrets in builds
      </label>
      {% endif %}
    </div>
  </div>
  {% endif %}


@@ 72,3 92,8 @@
    {{icon("caret-right")}}
  </button>
</form>
{% if saved %}
<div class="alert alert-success">
  Changes saved.
</div>
{% endif %}