~emersion/public-inbox

hottub: Support passing build secrets to CI v1 APPLIED

delthas: 1
 Support passing build secrets to CI

 4 files changed, 54 insertions(+), 16 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~emersion/public-inbox/patches/55378/mbox | git am -3
Learn more about email & git

[PATCH hottub] Support passing build secrets to CI Export this patch

---
 README.md            | 28 +++++++++++++++++++++-------
 main.go              | 21 +++++++++++++++++----
 static/style.css     |  9 +++++++--
 templates/index.html | 12 +++++++++---
 4 files changed, 54 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 4a40f7f..bcd48e7 100644
--- a/README.md
+++ b/README.md
@@ -10,18 +10,32 @@ A [public instance] is available.

## Installation

1. Follow the [GitHub guide] to register an app suitable for the Checks API.
2. Set the GitHub app setup URL to `https://<domain>/post-install` and the
   webhook URL to `https://<domain>/webhook`.
3. Grab the GitHub app ID and webhook secret (optional for local development).
1. Follow the [GitHub guide] to register an app suitable for the Checks API:
   - Open the [Register a new app](https://github.com/settings/apps/new) page
   - Set a name and homepage URL
   - Leave the callback URL empty
   - Set the setup URL to `https://<domain>/post-install`
   - Set the webhook URL to `https://<domain>/webhook`
   - In *Repository permissions*, select:
     - Checks: Read and write
     - Commit statuses: Read and write
     - Contents: Read-only
     - Metadata: Read-only
     - Pull requests: Read-only
   - In *Subscribe to events*, check:
     - Check run
     - Check suite
     - Pull request
2. Grab the GitHub app ID and webhook secret (optional for local development).
   Download a new PEM private key.
4. Start hottub:
3. Start hottub:

       hottub -gh-app-id <id> -gh-private-key <path> -gh-webhook-secret <secret>

Optionally, to improve the authorization flow, you can [register an sr.ht
OAuth2 client] and pass its credentials with `-srht-client-id` and
`-srht-client-secret`.
OAuth2 client] (setting the Redirection URI to
`https://<domain>/authorize-srht`) and pass its credentials with
`-metasrht-client-id` and `-metasrht-client-secret`.

## License

diff --git a/main.go b/main.go
index d61afd1..017eb01 100644
--- a/main.go
+++ b/main.go
@@ -33,6 +33,7 @@ const (
	monitorJobInterval   = 5 * time.Second
	monitorMaxRetries    = 10
	srhtGrants           = "builds.sr.ht/PROFILE:RO builds.sr.ht/JOBS:RW"
	srhtGrantsSecrets    = "builds.sr.ht/SECRETS:RO"
	maxJobsPerCheckSuite = 4
)

@@ -193,6 +194,13 @@ func main() {
			}
		}

		var scopes string
		if r.URL.Query().Get("state") == "enable_secrets" {
			scopes = srhtGrants + " " + srhtGrantsSecrets
		} else {
			scopes = srhtGrants
		}

		// If we have a sr.ht client setup, redirect to the sr.ht authorization
		// page
		if installation != nil && installation.SrhtToken == "" && srhtClientID != "" {
@@ -201,7 +209,7 @@ func main() {

			redirectURL := srhtOAuth2Client.AuthorizationCodeURL(&oauth2.AuthorizationOptions{
				State: state.Encode(),
				Scope: strings.Split(srhtGrants, " "),
				Scope: strings.Split(scopes, " "),
			})
			http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
			return
@@ -224,7 +232,7 @@ func main() {
		}{
			Pending:            installation == nil,
			Done:               installation != nil && installation.SrhtToken != "",
			SrhtGrants:         srhtGrants,
			SrhtGrants:         scopes,
			InstallSettingsURL: installSettingsURL,
		}
		if err := tpl.ExecuteTemplate(w, "post-install.html", &data); err != nil {
@@ -254,11 +262,16 @@ func main() {
			log.Printf("installation %v by %v", event.GetAction(), event.Sender.GetLogin())
			switch event.GetAction() {
			case "created":
				owner := event.Sender.GetLogin()
				org := event.Installation.GetAccount().GetLogin()
				if org == owner {
					org = ""
				}
				err = db.StoreInstallation(&Installation{
					ID:        *event.Installation.ID,
					CreatedAt: time.Now(),
					Owner:     event.Sender.GetLogin(),
					Org:       event.GetOrg().GetLogin(),
					Owner:     owner,
					Org:       org,
				})
			case "deleted":
				err = db.DeleteInstallation(*event.Installation.ID)
diff --git a/static/style.css b/static/style.css
index 7328829..85f880b 100644
--- a/static/style.css
+++ b/static/style.css
@@ -11,11 +11,16 @@ main {
	text-align: center;
	margin: 75px 0;
}
.install a {
	display: inline-block;
.install p {
	text-align: center;
}
.install-btn {
	display: block;
	text-decoration: none;
	color: white;
	background-color: #0070ff;
	padding: 15px;
	border-radius: 5px;
	border: none;
	margin-inline: auto;
}
diff --git a/templates/index.html b/templates/index.html
index 42661db..7f4f2e3 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -6,9 +6,15 @@

<p>hottub is a bridge to submit builds.sr.ht jobs from GitHub.</p>

<p class="install">
	<a href="{{ .App.HTMLURL }}/installations/new" class="install-btn">Install</a>
</p>
<div class="install">
	<form action="{{ .App.HTMLURL }}/installations/new">
		<button class="install-btn" type="submit">Install</button>
		<p>
			<input id="enable-secrets" type="checkbox" name="state" value="enable_secrets">
			<label for="enable-secrets"><small>Use build secrets</small></label>
		</p>
	</form>
</div>

<p><small>
	<a href="https://git.sr.ht/~emersion/hottub">Source code</a>

base-commit: 2a8fbf0f5eb67fce4021270dec5362f9fa7d348c
-- 
2.46.2
I've split up this into 3 patches and pushed them. Thanks!