🚀 GoCD mergeable - Github Action

A Github Action for verifying changes done to the GoCD config repository.

On every check-in or a pull request, GoCD mergeable action verifies whether modifications done to the GoCD configuration files are valid or not by performing the GoCD preflight check on the specified config repository.

Usage

See action.yml For comprehensive list of options.

Basic

Note: Do not specify GOCD_ADMIN_ACCESS_TOKEN as a plain text value. Use Github Secrets for specifying the secret access token.

on: [push]

jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/[email protected]
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Validate on pull requests

on: [pull_request]

jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/[email protected]
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Trigger validation only when configurations changes

GoCD's pipeline as code allows the pipeline configurations to be defined where the source is (same git repository). But we often don't make changes to the pipeline configurations and thus can avoid GoCD mergeable bot check by whitelisting the config files.

on:
  push:
    paths:
    - '.gocd/*.gocd.yml'
    - '.gocd/*.gocd.yaml'

jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/[email protected]
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Output

1. Following is an example of successful GoCD mergeable run, when the config repository configurations are valid and can be successfully merged with GoCD.

2. Following is an example of failed GoCD mergeable run, when the config repository configurations has some errors (and/or is invalid).

A note about security

GoCD mergeable Github Action when enabled for GoCD groovy DSL plugin, will evaluate untrusted code on the GoCD server. As evaluating the groovy code in a sandbox is currently a work in progress for groovy plugin.

Enabling GoCD mergeable Github Action for pull requests on a groovy config public repository can allow a malicious Github user to do significant damage by running a script as part of the pull request that steal keys and secrets, remove files and directories, install malware, etc on the GoCD Server.

It is recommended to configure GoCD mergeable Github Action to be executed only on trusted check-ins.

Example

Checkout GoCD mergeable YAML Example master branch and pull request for live examples.

License

GoCD mergeable is an open source project, under the Apache License, Version 2.0.

Contributions

Contributions are welcome! See Contributor's Guide