[PATCH hottub] Support passing build secrets to CI
Export this patch
---
README.md | 28 +++++++++++++++++++++-------
main.go | 21 +++++++++++++++++----
static/style.css | 9 +++++++--
templates/index.html | 12 +++++++++---
4 files changed, 54 insertions(+), 16 deletions(-)
diff --git a/README.md b/README.md
index 4a40f7f..bcd48e7 100644
--- a/README.md
+++ b/README.md
@@ -10,18 +10,32 @@ A [public instance] is available.
## Installation
-1. Follow the [GitHub guide] to register an app suitable for the Checks API.
-2. Set the GitHub app setup URL to `https://<domain>/post-install` and the
- webhook URL to `https://<domain>/webhook`.
-3. Grab the GitHub app ID and webhook secret (optional for local development).
+1. Follow the [GitHub guide] to register an app suitable for the Checks API:
+ - Open the [Register a new app](https://github.com/settings/apps/new) page
+ - Set a name and homepage URL
+ - Leave the callback URL empty
+ - Set the setup URL to `https://<domain>/post-install`
+ - Set the webhook URL to `https://<domain>/webhook`
+ - In *Repository permissions*, select:
+ - Checks: Read and write
+ - Commit statuses: Read and write
+ - Contents: Read-only
+ - Metadata: Read-only
+ - Pull requests: Read-only
+ - In *Subscribe to events*, check:
+ - Check run
+ - Check suite
+ - Pull request
+2. Grab the GitHub app ID and webhook secret (optional for local development).
Download a new PEM private key.
-4. Start hottub:
+3. Start hottub:
hottub -gh-app-id <id> -gh-private-key <path> -gh-webhook-secret <secret>
Optionally, to improve the authorization flow, you can [register an sr.ht
-OAuth2 client] and pass its credentials with `-srht-client-id` and
-`-srht-client-secret`.
+OAuth2 client] (setting the Redirection URI to
+`https://<domain>/authorize-srht`) and pass its credentials with
+`-metasrht-client-id` and `-metasrht-client-secret`.
## License
diff --git a/main.go b/main.go
index d61afd1..017eb01 100644
--- a/main.go
+++ b/main.go
@@ -33,6 +33,7 @@ const (
monitorJobInterval = 5 * time.Second
monitorMaxRetries = 10
srhtGrants = "builds.sr.ht/PROFILE:RO builds.sr.ht/JOBS:RW"
+ srhtGrantsSecrets = "builds.sr.ht/SECRETS:RO"
maxJobsPerCheckSuite = 4
)
@@ -193,6 +194,13 @@ func main() {
}
}
+ var scopes string
+ if r.URL.Query().Get("state") == "enable_secrets" {
+ scopes = srhtGrants + " " + srhtGrantsSecrets
+ } else {
+ scopes = srhtGrants
+ }
+
// If we have a sr.ht client setup, redirect to the sr.ht authorization
// page
if installation != nil && installation.SrhtToken == "" && srhtClientID != "" {
@@ -201,7 +209,7 @@ func main() {
redirectURL := srhtOAuth2Client.AuthorizationCodeURL(&oauth2.AuthorizationOptions{
State: state.Encode(),
- Scope: strings.Split(srhtGrants, " "),
+ Scope: strings.Split(scopes, " "),
})
http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
return
@@ -224,7 +232,7 @@ func main() {
}{
Pending: installation == nil,
Done: installation != nil && installation.SrhtToken != "",
- SrhtGrants: srhtGrants,
+ SrhtGrants: scopes,
InstallSettingsURL: installSettingsURL,
}
if err := tpl.ExecuteTemplate(w, "post-install.html", &data); err != nil {
@@ -254,11 +262,16 @@ func main() {
log.Printf("installation %v by %v", event.GetAction(), event.Sender.GetLogin())
switch event.GetAction() {
case "created":
+ owner := event.Sender.GetLogin()
+ org := event.Installation.GetAccount().GetLogin()
+ if org == owner {
+ org = ""
+ }
err = db.StoreInstallation(&Installation{
ID: *event.Installation.ID,
CreatedAt: time.Now(),
- Owner: event.Sender.GetLogin(),
- Org: event.GetOrg().GetLogin(),
+ Owner: owner,
+ Org: org,
})
case "deleted":
err = db.DeleteInstallation(*event.Installation.ID)
diff --git a/static/style.css b/static/style.css
index 7328829..85f880b 100644
--- a/static/style.css
+++ b/static/style.css
@@ -11,11 +11,16 @@ main {
text-align: center;
margin: 75px 0;
}
-.install a {
- display: inline-block;
+.install p {
+ text-align: center;
+}
+.install-btn {
+ display: block;
text-decoration: none;
color: white;
background-color: #0070ff;
padding: 15px;
border-radius: 5px;
+ border: none;
+ margin-inline: auto;
}
diff --git a/templates/index.html b/templates/index.html
index 42661db..7f4f2e3 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -6,9 +6,15 @@
<p>hottub is a bridge to submit builds.sr.ht jobs from GitHub.</p>
-<p class="install">
- <a href="{{ .App.HTMLURL }}/installations/new" class="install-btn">Install</a>
-</p>
+<div class="install">
+ <form action="{{ .App.HTMLURL }}/installations/new">
+ <button class="install-btn" type="submit">Install</button>
+ <p>
+ <input id="enable-secrets" type="checkbox" name="state" value="enable_secrets">
+ <label for="enable-secrets"><small>Use build secrets</small></label>
+ </p>
+ </form>
+</div>
<p><small>
<a href="https://git.sr.ht/~emersion/hottub">Source code</a>
base-commit: 2a8fbf0f5eb67fce4021270dec5362f9fa7d348c
--
2.46.2
I've split up this into 3 patches and pushed them. Thanks!