mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-01-11 01:55:27 +00:00
Allow to disable deployments (#3570)
…but if they're enabled, allow for all events. Also add warning that you should only enable it if you trust the users with push access. closes #3559 --------- Co-authored-by: Robert Kaussow <xoxys@rknet.org>
This commit is contained in:
qwerty287
GitHub
parent
a6e054f9fe
commit
eaf10611eb
9 changed files with 42 additions and 12 deletions
|
|
@ -4048,6 +4048,9 @@ const docTemplate = `{
|
||||||
"active": {
|
"active": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
},
|
||||||
|
"allow_deploy": {
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
"allow_pr": {
|
"allow_pr": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
},
|
||||||
|
|
@ -4123,6 +4126,9 @@ const docTemplate = `{
|
||||||
"RepoPatch": {
|
"RepoPatch": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
|
"allow_deploy": {
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
"allow_pr": {
|
"allow_pr": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,15 @@ Your Version-Control-System will notify Woodpecker about events via webhooks. If
|
||||||
|
|
||||||
Enables handling webhook's pull request event. If disabled, then pipeline won't run for pull requests.
|
Enables handling webhook's pull request event. If disabled, then pipeline won't run for pull requests.
|
||||||
|
|
||||||
|
## Allow deployments
|
||||||
|
|
||||||
|
Enables a pipeline to be started with the `deploy` event from a successful pipeline.
|
||||||
|
|
||||||
|
:::danger
|
||||||
|
Only activate this option if you trust all users who have push access to your repository.
|
||||||
|
Otherwise, these users will be able to steal secrets that are only available for `deploy` events.
|
||||||
|
:::
|
||||||
|
|
||||||
## Protected
|
## Protected
|
||||||
|
|
||||||
Every pipeline initiated by an webhook event needs to be approved by a project members with push permissions before being executed.
|
Every pipeline initiated by an webhook event needs to be approved by a project members with push permissions before being executed.
|
||||||
|
|
|
||||||
|
|
@ -407,23 +407,22 @@ func PostPipeline(c *gin.Context) {
|
||||||
refreshUserToken(c, user)
|
refreshUserToken(c, user)
|
||||||
|
|
||||||
// make Deploy overridable
|
// make Deploy overridable
|
||||||
pl.Deploy = c.DefaultQuery("deploy_to", pl.Deploy)
|
|
||||||
|
|
||||||
// make Event overridable to deploy
|
// make Event overridable to deploy
|
||||||
// TODO refactor to use own proper API for deploy
|
// TODO refactor to use own proper API for deploy
|
||||||
if event, ok := c.GetQuery("event"); ok {
|
if event, ok := c.GetQuery("event"); ok {
|
||||||
// only allow deploy from push, tag and release
|
|
||||||
if pl.Event != model.EventPush && pl.Event != model.EventTag && pl.Event != model.EventRelease {
|
|
||||||
_ = c.AbortWithError(http.StatusBadRequest, fmt.Errorf("can only deploy push, tag and release pipelines"))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
pl.Event = model.WebhookEvent(event)
|
pl.Event = model.WebhookEvent(event)
|
||||||
|
|
||||||
if pl.Event != model.EventDeploy {
|
if pl.Event != model.EventDeploy {
|
||||||
_ = c.AbortWithError(http.StatusBadRequest, model.ErrInvalidWebhookEvent)
|
_ = c.AbortWithError(http.StatusBadRequest, model.ErrInvalidWebhookEvent)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !repo.AllowDeploy {
|
||||||
|
_ = c.AbortWithError(http.StatusForbidden, fmt.Errorf("repo does not allow deployments"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
pl.Deploy = c.DefaultQuery("deploy_to", pl.Deploy)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Read query string parameters into pipelineParams, exclude reserved params
|
// Read query string parameters into pipelineParams, exclude reserved params
|
||||||
|
|
|
||||||
|
|
@ -86,6 +86,7 @@ func PostRepo(c *gin.Context) {
|
||||||
} else {
|
} else {
|
||||||
repo = from
|
repo = from
|
||||||
repo.AllowPull = true
|
repo.AllowPull = true
|
||||||
|
repo.AllowDeploy = false
|
||||||
repo.NetrcOnlyTrusted = true
|
repo.NetrcOnlyTrusted = true
|
||||||
repo.CancelPreviousPipelineEvents = server.Config.Pipeline.DefaultCancelPreviousPipelineEvents
|
repo.CancelPreviousPipelineEvents = server.Config.Pipeline.DefaultCancelPreviousPipelineEvents
|
||||||
}
|
}
|
||||||
|
|
@ -223,6 +224,9 @@ func PatchRepo(c *gin.Context) {
|
||||||
if in.AllowPull != nil {
|
if in.AllowPull != nil {
|
||||||
repo.AllowPull = *in.AllowPull
|
repo.AllowPull = *in.AllowPull
|
||||||
}
|
}
|
||||||
|
if in.AllowDeploy != nil {
|
||||||
|
repo.AllowDeploy = *in.AllowDeploy
|
||||||
|
}
|
||||||
if in.IsGated != nil {
|
if in.IsGated != nil {
|
||||||
repo.IsGated = *in.IsGated
|
repo.IsGated = *in.IsGated
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,7 @@ type Repo struct {
|
||||||
IsGated bool `json:"gated" xorm:"repo_gated"`
|
IsGated bool `json:"gated" xorm:"repo_gated"`
|
||||||
IsActive bool `json:"active" xorm:"repo_active"`
|
IsActive bool `json:"active" xorm:"repo_active"`
|
||||||
AllowPull bool `json:"allow_pr" xorm:"repo_allow_pr"`
|
AllowPull bool `json:"allow_pr" xorm:"repo_allow_pr"`
|
||||||
|
AllowDeploy bool `json:"allow_deploy" xorm:"repo_allow_deploy"`
|
||||||
Config string `json:"config_file" xorm:"varchar(500) 'repo_config_path'"`
|
Config string `json:"config_file" xorm:"varchar(500) 'repo_config_path'"`
|
||||||
Hash string `json:"-" xorm:"varchar(500) 'repo_hash'"`
|
Hash string `json:"-" xorm:"varchar(500) 'repo_hash'"`
|
||||||
Perm *Perm `json:"-" xorm:"-"`
|
Perm *Perm `json:"-" xorm:"-"`
|
||||||
|
|
@ -112,6 +113,7 @@ type RepoPatch struct {
|
||||||
Timeout *int64 `json:"timeout,omitempty"`
|
Timeout *int64 `json:"timeout,omitempty"`
|
||||||
Visibility *string `json:"visibility,omitempty"`
|
Visibility *string `json:"visibility,omitempty"`
|
||||||
AllowPull *bool `json:"allow_pr,omitempty"`
|
AllowPull *bool `json:"allow_pr,omitempty"`
|
||||||
|
AllowDeploy *bool `json:"allow_deploy,omitempty"`
|
||||||
CancelPreviousPipelineEvents *[]WebhookEvent `json:"cancel_previous_pipeline_events"`
|
CancelPreviousPipelineEvents *[]WebhookEvent `json:"cancel_previous_pipeline_events"`
|
||||||
NetrcOnlyTrusted *bool `json:"netrc_only_trusted"`
|
NetrcOnlyTrusted *bool `json:"netrc_only_trusted"`
|
||||||
} // @name RepoPatch
|
} // @name RepoPatch
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,10 @@
|
||||||
"allow": "Allow Pull Requests",
|
"allow": "Allow Pull Requests",
|
||||||
"desc": "Pipelines can run on pull requests."
|
"desc": "Pipelines can run on pull requests."
|
||||||
},
|
},
|
||||||
|
"allow_deploy": {
|
||||||
|
"allow": "Allow deployments",
|
||||||
|
"desc": "Allow deployments from successful pipelines. Only use if you trust all users with push access."
|
||||||
|
},
|
||||||
"protected": {
|
"protected": {
|
||||||
"protected": "Protected",
|
"protected": "Protected",
|
||||||
"desc": "Every pipeline needs to be approved before being executed."
|
"desc": "Every pipeline needs to be approved before being executed."
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,11 @@
|
||||||
:label="$t('repo.settings.general.allow_pr.allow')"
|
:label="$t('repo.settings.general.allow_pr.allow')"
|
||||||
:description="$t('repo.settings.general.allow_pr.desc')"
|
:description="$t('repo.settings.general.allow_pr.desc')"
|
||||||
/>
|
/>
|
||||||
|
<Checkbox
|
||||||
|
v-model="repoSettings.allow_deploy"
|
||||||
|
:label="$t('repo.settings.general.allow_deploy.allow')"
|
||||||
|
:description="$t('repo.settings.general.allow_deploy.desc')"
|
||||||
|
/>
|
||||||
<Checkbox
|
<Checkbox
|
||||||
v-model="repoSettings.gated"
|
v-model="repoSettings.gated"
|
||||||
:label="$t('repo.settings.general.protected.protected')"
|
:label="$t('repo.settings.general.protected.protected')"
|
||||||
|
|
@ -132,6 +137,7 @@ function loadRepoSettings() {
|
||||||
gated: repo.value.gated,
|
gated: repo.value.gated,
|
||||||
trusted: repo.value.trusted,
|
trusted: repo.value.trusted,
|
||||||
allow_pr: repo.value.allow_pr,
|
allow_pr: repo.value.allow_pr,
|
||||||
|
allow_deploy: repo.value.allow_deploy,
|
||||||
cancel_previous_pipeline_events: repo.value.cancel_previous_pipeline_events || [],
|
cancel_previous_pipeline_events: repo.value.cancel_previous_pipeline_events || [],
|
||||||
netrc_only_trusted: repo.value.netrc_only_trusted,
|
netrc_only_trusted: repo.value.netrc_only_trusted,
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -56,6 +56,8 @@ export type Repo = {
|
||||||
// Whether pull requests should trigger a pipeline.
|
// Whether pull requests should trigger a pipeline.
|
||||||
allow_pr: boolean;
|
allow_pr: boolean;
|
||||||
|
|
||||||
|
allow_deploy: boolean;
|
||||||
|
|
||||||
config_file: string;
|
config_file: string;
|
||||||
|
|
||||||
visibility: RepoVisibility;
|
visibility: RepoVisibility;
|
||||||
|
|
@ -84,6 +86,7 @@ export type RepoSettings = Pick<
|
||||||
| 'trusted'
|
| 'trusted'
|
||||||
| 'gated'
|
| 'gated'
|
||||||
| 'allow_pr'
|
| 'allow_pr'
|
||||||
|
| 'allow_deploy'
|
||||||
| 'cancel_previous_pipeline_events'
|
| 'cancel_previous_pipeline_events'
|
||||||
| 'netrc_only_trusted'
|
| 'netrc_only_trusted'
|
||||||
>;
|
>;
|
||||||
|
|
|
||||||
|
|
@ -45,10 +45,7 @@
|
||||||
@click="restartPipeline"
|
@click="restartPipeline"
|
||||||
/>
|
/>
|
||||||
<Button
|
<Button
|
||||||
v-if="
|
v-if="pipeline.status === 'success' && repo.allow_deploy"
|
||||||
pipeline.status === 'success' &&
|
|
||||||
(pipeline.event === 'push' || pipeline.event === 'tag' || pipeline.event === 'release')
|
|
||||||
"
|
|
||||||
class="flex-shrink-0"
|
class="flex-shrink-0"
|
||||||
:text="$t('repo.pipeline.actions.deploy')"
|
:text="$t('repo.pipeline.actions.deploy')"
|
||||||
@click="showDeployPipelinePopup = true"
|
@click="showDeployPipelinePopup = true"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue