-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwebhook.github.php
More file actions
175 lines (153 loc) · 6.79 KB
/
webhook.github.php
File metadata and controls
175 lines (153 loc) · 6.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
<?php
/**
* projectr
* Tools for deployments and project management
*
* GitHub frontend for deployments
*
* @author Lukas Bestle <project-projectr@lukasbestle.com>
* @copyright Copyright 2014 Lukas Bestle
* @license MIT
* @file webhook.github.php
*/
// 1. Configuration
// ====================
// Secret used as authentication (you have to set this in the GitHub project settings as well)
// ATTENTION: Make sure this is long and secure, as anyone could checkout any commit of your projects otherwise
define('SECRET', '<long token>');
// Path where you installed the scripts from the "bin" directory of this repository
// This is required, as PHP doesn't automatically use the environment and therefore your $PATH from your shell
define('TOOLKIT_PATH', '/home/<user>/bin');
// 2. Setup
// ====================
/**
* This is an example webhook for GitHub projects.
* It's fairly simple to set this script up on your server/Uberspace, here's how:
*
* 1. Setup the toolkit, so you can access the tools from your SSH shell (more about that in README.md)
* 2. Take a look at the settings above.
* 2.1. Seriously, have you set a secret? Yes? Alright.
* 3. Place this script in a directory in ~/web/ (something like "~/web/hooks.example.com")
* 4. You should now be able to access https://hooks.example.com/webhook.github.php
* This should output "Web hook event (X-Github-Event header) is missing from request.".
*
* Now you can create projects and let this script deploy them for you:
*
* 5. If your project is a private repository:
* 5.1. Generate an SSH key by using `ssh-keygen`. The default values are alright for this purpose.
* 5.2. Copy the contents of `~/.ssh/id_rsa.pub` to your clipboard and add it as "Deploy Key" in your project's GitHub settings interface.
* 6. Create the project on the server by running either `project_add <path> <exact HTTPS clone url from GitHub>#<branch to deploy>` or
* `site_add <name> <exact HTTPS clone url from GitHub>#<branch to deploy>`.
* It's important to use the exact HTTPS url (not the SSH one) so this script can find the project!
* 7. Add the URL (the one you tested in 4.) of the script to your project's web hooks.
* Make sure to add the secret configured above and select "Just the push event".
* 8. GitHub now sends a "ping" event, which is ignored by this script. To test if it everything works, push some code to your GitHub repository.
*
* Troubleshooting:
* - Use `tail -f <path to project>/logs/*.log`. This should tell you what went wrong.
* - Check if the TOOLKIT_PATH you set above is correct.
* - Check if you set the origin of your project to the correct URL.
* - Open the web hook URL you entered in GitHub in your browser and check if the output is "Web hook event (X-Github-Event header) is missing from request.".
* - Click on the pen icon next to your web hook in GitHub's settings interface. You should see a list of "deliveries".
* You can find the exact error message from this script in the "Response" tab of the delivery.
*/
// 3. Done
// The code starts here
// ====================
// We are always returning plain text
header('Content-Type: text/plain');
// Check if a secret has been set
if (SECRET === '<long token>') {
http_response_code(500);
die('No secret has been set in ' . basename(__FILE__) . ". This script won't work without one.");
}
// Check which event this is
if (isset($_SERVER['HTTP_X_GITHUB_EVENT']) !== true) {
http_response_code(400);
die('Web hook event (X-Github-Event header) is missing from request.');
}
$event = $_SERVER['HTTP_X_GITHUB_EVENT'];
switch ($event) {
case 'ping':
die('Received ping event, ignoring.');
break;
case 'push':
echo "Received push event.\n";
break;
default:
http_response_code(400);
die("Received $event event, ignoring.");
}
// Get the request body
$input = false;
switch ($_SERVER['CONTENT_TYPE']) {
case 'application/json':
echo "Received JSON data in body.\n";
$input = file_get_contents('php://input');
break;
case 'application/x-www-form-urlencoded':
echo "Received URL-encoded form data in body.\n";
$input = (isset($_POST['payload']) === true)? $_POST['payload'] : '';
break;
default:
http_response_code(400);
die("Don't know what to do with {$_SERVER['CONTENT_TYPE']} content type.");
}
if (!$input) {
http_response_code(400);
die('No POST body sent.');
}
// Check if the authentication is valid
if (isset($_SERVER['HTTP_X_HUB_SIGNATURE']) !== true) {
http_response_code(401);
die("Secret (X-Hub-Signature header) is missing from request. Have you set a secret in GitHub's project settings?");
}
if (hash_equals('sha1=' . hash_hmac('sha1', $input, SECRET, false), $_SERVER['HTTP_X_HUB_SIGNATURE']) !== true) {
http_response_code(403);
die('Secret (X-Hub-Signature header) is wrong or does not match request body.');
}
// Parse payload
$payload = json_decode($input, true);
if (is_array($payload) !== true) {
http_response_code(400);
die('Invalid payload (no JSON?).');
}
// Get some interesting information from the payload
$url = $payload['repository']['clone_url'];
$commit = $payload['after'];
$ref = $payload['ref'];
if (preg_match('{(?:.*/){2}(.*)}', $ref, $matches) !== 1) {
http_response_code(400);
die('Invalid ref field (does not match regular expression "(?:.*/){2}(.*)").');
}
$branch = $matches[1];
// Debug
echo "Received commit hash \"$commit\" for repository URL \"$url\" (branch \"$branch\").\n";
// Determine the path to the projects file
$xdgProjectsFile = ($_ENV['XDG_CONFIG_HOME'] ?? ($_SERVER['HOME'] . '/.config')) . '/projectr/projects';
$projectsFile = is_file($xdgProjectsFile) === true ? $xdgProjectsFile : $_SERVER['HOME'] . '/.projects';
// Open the projects file and iterate through every project
$listPointer = fopen($projectsFile, 'r');
$exitCode = 0;
while (($project = fgets($listPointer)) !== false) {
// Trim whitespace
$project = trim($project);
// Only deployable projects are interesting for us
if (is_file($project . '/.origin') !== true || is_file($project . '/.branch') !== true) {
continue;
}
// If there is a .origin and .branch file, check if they match
if (trim(file_get_contents($project . '/.origin')) === $url && trim(file_get_contents($project . '/.branch')) === $branch) {
// Found the right project
echo "Found project at $project, running deploy script.\n";
// Run deploy script (in the background, because GitHub doesn't like responses > 30sec)
passthru('export PATH=' . escapeshellarg(TOOLKIT_PATH) . ':$PATH; project_deploy ' . escapeshellarg($project) . ' ' . escapeshellarg($commit) . ' &> /dev/null &', $exitCode);
// If it didn't work, add debug statement
if ($exitCode !== 0) {
echo "Something didn't work.\n";
}
}
}
// Iterated through every project, exit
http_response_code(($exitCode === 0)? 200 : 500);
die('All done.');