diff --git a/lib/github/default.nix b/lib/github/default.nix index 345426ad..b4f89bc1 100644 --- a/lib/github/default.nix +++ b/lib/github/default.nix @@ -1,5 +1,6 @@ utils: utils.importer "github" [ + ./githubWebhook.nix ./mkGithubJobsets.nix ./mkGithubProject.nix ./mkGithubStatus.nix diff --git a/lib/github/githubWebhook.nix b/lib/github/githubWebhook.nix new file mode 100644 index 00000000..5a56e6a1 --- /dev/null +++ b/lib/github/githubWebhook.nix @@ -0,0 +1,38 @@ +utils: lib: let + inherit + (lib) + eachSystem + ; +in { + githubWebhook = eachSystem (system: let + pkgs = utils.pkgs.${system}; + in + pkgs.writeShellApplication { + name = "action"; + runtimeInputs = [ + pkgs.curl + pkgs.gnused + pkgs.jq + pkgs.openssl + ]; + text = '' + input=$(cat) + + headers=$(echo "$input" | jq '.input.headers') + body=$(echo "$input" | jq '.input.body' -r) + secret=$(echo "$input" | jq '.secrets.github_webhook_secret' -r) + + event=$(echo "$headers" | jq '."X-GitHub-Event"' -r) + [ "$event" == "push" ] || exit 0 + + signatureSent=$(echo "$headers" | jq '."X-Hub-Signature-256"') + signatureComputed=$(echo -n "$body" | openssl dgst -sha256 -hmac "$secret" -binary | base64 -w 0) + [ "$signatureSent" == "$signatureComputed" ] + + echo null | jq --argjson body "$body" '[] + | if $body.created or $body.deleted then . + [{"command":"UpdateJobsets"}] else . end + | if $body.deleted | not then . + [{"command":"EvaluateJobset","jobset":$body.ref|split("/")|.[2]}] else . end + | .' + ''; + }); +} diff --git a/lib/github/mkGithubProject.nix b/lib/github/mkGithubProject.nix index 933ae654..d6fd55cb 100644 --- a/lib/github/mkGithubProject.nix +++ b/lib/github/mkGithubProject.nix @@ -5,6 +5,7 @@ _: lib: let ; inherit (lib.github) + githubWebhook mkGithubJobsets mkGithubStatus ; @@ -23,6 +24,7 @@ in { jobsets = mkGithubJobsets {inherit owner repo;}; begin = mkGithubStatus {inherit owner repo;}; end = mkGithubStatus {inherit owner repo;}; + webhook = githubWebhook; }; inherit secrets; };