๐ GoCD mergeable - Github Action
A Github Action for verifying changes done to the GoCD config repository.
On every check-in or a pull request, GoCD mergeable action verifies whether modifications done to the GoCD configuration files are valid or not by performing the GoCD preflight check on the specified config repository.
Usage
See action.yml For comprehensive list of options.
Basic
Note: Do not specify GOCD_ADMIN_ACCESS_TOKEN
as a plain text value.
Use Github Secrets for specifying the secret access token.
on: [push]
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/[email protected]
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'
Validate on pull requests
on: [pull_request]
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/[email protected]
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'
Trigger validation only when configurations changes
GoCD's pipeline as code allows the pipeline configurations to be defined where the source is (same git repository). But we often don't make changes to the pipeline configurations and thus can avoid GoCD mergeable bot check by whitelisting the config files.
on:
push:
paths:
- '.gocd/*.gocd.yml'
- '.gocd/*.gocd.yaml'
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/[email protected]
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'
Output
- Following is an example of successful GoCD mergeable run, when the config repository configurations are valid and can be successfully merged with GoCD.
- Following is an example of failed GoCD mergeable run, when the config repository configurations has some errors (and/or is invalid).
A note about security
GoCD mergeable Github Action when enabled for GoCD groovy DSL plugin, will evaluate untrusted code on the GoCD server. As evaluating the groovy code in a sandbox is currently a work in progress for groovy plugin.
Enabling GoCD mergeable Github Action for pull requests on a groovy config public repository can allow a malicious Github user to do significant damage by running a script as part of the pull request that steal keys and secrets, remove files and directories, install malware, etc on the GoCD Server.
It is recommended to configure GoCD mergeable Github Action to be executed only on trusted check-ins.
Example
Checkout GoCD mergeable YAML Example master branch and pull request for live examples.
License
GoCD mergeable is an open source project, under the Apache License, Version 2.0.
Contributions
Contributions are welcome! See Contributor's Guide