;}%20.st6{fill:url(%23SVGID_00000021089067129159788970000008246765442136188072_);}%20.st7{fill:url(%23SVGID_00000117639240116366130650000015074833605515028638_);}%20.st8{opacity:0.4;fill:url(%23SVGID_00000101781798616409025840000016567063639337360777_);}%20.st9{opacity:0.4;fill:url(%23SVGID_00000052086836598721292040000002033117744178971046_);}%20.st10{opacity:0.4;fill:url(%23SVGID_00000159460939004760751800000002448009281983951536_);}%20.st11{opacity:0.4;fill:url(%23SVGID_00000013177830667419993080000017721442101626521532_);}%20.st12{opacity:0.4;fill:url(%23SVGID_00000152235521444854938490000006526001119318383285_);}%20.st13{opacity:0.4;fill:url(%23SVGID_00000119823135212293698520000012774889010992664993_);}%20%3c/style%3e%3cg%3e%3cpolygon%20class='st2'%20points='134.78,14.22%20114.31,48.21%20101.33,69.75%20158.22,69.75%20177.97,36.95%20191.67,14.22%20'/%3e%3cpolygon%20class='st3'%20points='227.55,69.75%20186.61,69.75%20101.33,69.75%20129.78,119.02%20158.16,119.02%20228.61,119.02%20256,119.02%20'/%3e%3cpolygon%20class='st3'%20points='136.93,132.47%20116.46,167.93%2073.82,241.78%20130.71,241.78%20144.9,217.2%20180.13,156.18%20193.82,132.46%20'/%3e%3cpolygon%20class='st3'%20points='121.7,131.95%20101.23,96.49%2058.59,22.63%2030.15,71.91%2044.34,96.49%2079.57,157.5%2093.26,181.22%20'/%3e%3cpolygon%20class='st2'%20points='64.81,131.95%2025.15,131.21%200,130.74%2028.44,180.01%2066.73,180.72%2093.26,181.21%20'/%3e%3cpolygon%20class='st2'%20points='165.38,181.74%20184.58,216.46%20196.75,238.47%20225.19,189.2%20206.66,155.69%20193.83,132.46%20'/%3e%3c/g%3e%3c/svg%3e)
Windmill HubSync script to Git repo
This script will pull the script from the current workspace in a temporary folder, then commit it to the remote Git repository and push it. Only the script-related file will be pushed, nothing else. It takes as input the `git_repository` resource containing the repository URL, the script path, and the commit message to use for the commit. All params are mandatory.
Script windmill Verified
by hugo697 ยท 12/1/2023
The script
Submitted by pyranota275 Bun
Verified
2 days ago
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | |
34 | |
35 | |
36 | |
37 | |
38 | |
39 | |
40 | |
41 | |
42 | |
43 | |
44 | |
45 | |
46 | |
47 | |
48 | |
49 | |
50 | |
51 | |
52 | |
53 | |
54 | |
55 | |
56 | |
57 | |
58 | |
59 | |
60 | |
61 | |
62 | |
63 | |
64 | |
65 | |
66 | |
67 | |
68 | |
69 | |
70 | |
71 | |
72 | |
73 | |
74 | |
75 | |
76 | |
77 | |
78 | |
79 | |
80 | |
81 | |
82 | |
83 | |
84 | |
85 | |
86 | |
87 | |
88 | |
89 | |
90 | |
91 | |
92 | |
93 | |
94 | |
95 | |
96 | |
97 | |
98 | |
99 | |
100 | |
101 | |
102 | |
103 | |
104 | |
105 | |
106 | |
107 | |
108 | |
109 | |
110 | |
111 | |
112 | |
113 | |
114 | |
115 | |
116 | |
117 | |
118 | |
119 | |
120 | |
121 | |
122 | |
123 | |
124 | |
125 | |
126 | |
127 | |
128 | |
129 | |
130 | |
131 | |
132 | |
133 | |
134 | |
135 | |
136 | |
137 | |
138 | |
139 | |
140 | |
141 | |
142 | |
143 | |
144 | |
145 | |
146 | |
147 | |
148 | |
149 | |
150 | |
151 | |
152 | |
153 | |
154 | |
155 | |
156 | |
157 | |
158 | |
159 | |
160 | |
161 | |
162 | |
163 | |
164 | |
165 | |
166 | |
167 | |
168 | |
169 | |
170 | |
171 | |
172 | |
173 | |
174 | |
175 | |
176 | |
177 | |
178 | |
179 | |
180 | |
181 | |
182 | |
183 | |
184 | |
185 | |
186 | |
187 | |
188 | |
189 | |
190 | |
191 | |
192 | |
193 | |
194 | |
195 | |
196 | |
197 | |
198 | |
199 | |
200 | |
201 | |
202 | |
203 | |
204 | |
205 | |
206 | |
207 | |
208 | |
209 | |
210 | |
211 | |
212 | |
213 | |
214 | |
215 | |
216 | |
217 | |
218 | |
219 | |
220 | |
221 | |
222 | |
223 | |
224 | |
225 | |
226 | |
227 | |
228 | |
229 | |
230 | |
231 | |
232 | |
233 | |
234 | |
235 | |
236 | |
237 | |
238 | |
239 | |
240 | |
241 | |
242 | |
243 | |
244 | |
245 | |
246 | |
247 | |
248 | |
249 | |
250 | |
251 | |
252 | |
253 | |
254 | |
255 | |
256 | |
257 | |
258 | |
259 | |
260 | |
261 | |
262 | |
263 | |
264 | |
265 | |
266 | |
267 | |
268 | |
269 | |
270 | |
271 | |
272 | |
273 | |
274 | |
275 | |
276 | |
277 | |
278 | |
279 | |
280 | |
281 | |
282 | |
283 | |
284 | |
285 | |
286 | |
287 | |
288 | |
289 | |
290 | |
291 | |
292 | |
293 | |
294 | |
295 | |
296 | |
297 | |
298 | |
299 | |
300 | |
301 | |
302 | |
303 | |
304 | |
305 | |
306 | |
307 | |
308 | |
309 | |
310 | |
311 | |
312 | |
313 | |
314 | |
315 | |
316 | |
317 | |
318 | |
319 | |
320 | |
321 | |
322 | |
323 | |
324 | |
325 | |
326 | |
327 | |
328 | |
329 | |
330 | |
331 | |
332 | |
333 | |
334 | |
335 | |
336 | |
337 | |
338 | |
339 | |
340 | |
341 | |
342 | |
343 | |
344 | |
345 | |
346 | |
347 | |
348 | |
349 | |
350 | |
351 | |
352 | |
353 | |
354 | |
355 | |
356 | |
357 | |
358 | |
359 | |
360 | |
361 | |
362 | |
363 | |
364 | |
365 | |
366 | |
367 | |
368 | |
369 | |
370 | |
371 | |
372 | |
373 | |
374 | |
375 | |
376 | |
377 | |
378 | |
379 | |
380 | |
381 | |
382 | |
383 | |
384 | |
385 | |
386 | |
387 | |
388 | |
389 | |
390 | |
391 | |
392 | |
393 | |
394 | |
395 | |
396 | |
397 | |
398 | |
399 | |
400 | |
401 | |
402 | |
403 | |
404 | |
405 | |
406 | |
407 | |
408 | |
409 | |
410 | |
411 | |
412 | |
413 | |
414 | |
415 | |
416 | |
417 | |
418 | |
419 | |
420 | |
421 | |
422 | |
423 | |
424 | |
425 | |
426 | |
427 | |
428 | |
429 | |
430 | |
431 | |
432 | |
433 | |
434 | |
435 | |
436 | |
437 | |
438 | |
439 | |
440 | |
441 | |
442 | |
443 | |
444 | |
445 | |
446 | |
447 | |
448 | |
449 | |
450 | |
451 | |
452 | |
453 | |
454 | |
455 | |
456 | |
457 | |
458 | |
459 | |
460 | |
461 | |
462 | |
463 | |
464 | |
465 | |
466 | |
467 | |
468 | |
469 | |
470 | |
471 | |
472 | |
473 | |
474 | |
475 | |
476 | |
477 | |
478 | |
479 | |
480 | |
481 | |
482 | |
Other submissions
- Submitted by hugo697 DenoCreated 668 days ago
1import * as wmillclient from "npm:[email protected]";2import wmill from "https://deno.land/x/[email protected]/main.ts";3import { basename } from "https://deno.land/[email protected]/path/mod.ts";45export async function main(6workspace_id: string,7repo_url_resource_path: string,8path_type:9| "script"10| "flow"11| "app"12| "folder"13| "resource"14| "variable"15| "resourcetype"16| "schedule"17| "user"18| "group",19skip_secret = true,20path: string | undefined,21parent_path: string | undefined,22commit_msg: string,23use_individual_branch = false,24group_by_folder = false25) {26const repo_resource = await wmillclient.getResource(repo_url_resource_path);2728const cwd = Deno.cwd();29Deno.env.set("HOME", ".");30console.log(31`Syncing ${path_type} ${path ?? ""} with parent ${parent_path ?? ""}`32);3334const repo_name = await git_clone(cwd, repo_resource, use_individual_branch);35await move_to_git_branch(36workspace_id,37path_type,38path,39parent_path,40use_individual_branch,41group_by_folder42);4344const subfolder = repo_resource.folder ?? "";45const branch_or_default = repo_resource.branch ?? "<DEFAULT>";46console.log(47`Pushing to repository ${repo_name} in subfolder ${subfolder} on branch ${branch_or_default}`48);4950await wmill_sync_pull(51path_type,52workspace_id,53path,54parent_path,55skip_secret56);5758await git_push(path, parent_path, commit_msg);5960console.log("Finished syncing");61Deno.chdir(`${cwd}`);62}6364async function git_clone(65cwd: string,66repo_resource: any,67use_individual_branch: boolean68): Promise<string> {69// TODO: handle private SSH keys as well70let repo_url = repo_resource.url;71const subfolder = repo_resource.folder ?? "";72const branch = repo_resource.branch ?? "";73const repo_name = basename(repo_url, ".git");7475const azureMatch = repo_url.match(/AZURE_DEVOPS_TOKEN\((?<url>.+)\)/);7677if (azureMatch) {78console.log(79"Requires Azure DevOps service account access token, requesting..."80);81const azureResource = await wmillclient.getResource(azureMatch.groups.url);8283const response = await fetch(84`https://login.microsoftonline.com/${azureResource.azureTenantId}/oauth2/token`,85{86method: "POST",87body: new URLSearchParams({88client_id: azureResource.azureClientId,89client_secret: azureResource.azureClientSecret,90grant_type: "client_credentials",91resource: "499b84ac-1321-427f-aa17-267ca6975798/.default",92}),93}94);9596const { access_token } = await response.json();9798repo_url = repo_url.replace(azureMatch[0], access_token);99}100101const args = ["clone", "--quiet", "--depth", "1"];102if (use_individual_branch) {103args.push("--no-single-branch"); // needed in case the asset branch already exists in the repo104}105if (subfolder !== "") {106args.push("--sparse");107}108if (branch !== "") {109args.push("--branch");110args.push(branch);111}112args.push(repo_url);113args.push(repo_name);114await sh_run(-1, "git", ...args);115116try {117Deno.chdir(`${cwd}/${repo_name}`);118} catch (err) {119console.log(120`Error changing directory to '${cwd}/${repo_name}'. Error was:\n${err}`121);122throw err;123}124Deno.chdir(`${cwd}/${repo_name}`);125if (subfolder !== "") {126await sh_run(undefined, "git", "sparse-checkout", "add", subfolder);127}128try {129Deno.chdir(`${cwd}/${repo_name}/${subfolder}`);130} catch (err) {131console.log(132`Error changing directory to '${cwd}/${repo_name}/${subfolder}'. Error was:\n${err}`133);134throw err;135}136137return repo_name;138}139140async function move_to_git_branch(141workspace_id: string,142path_type:143| "script"144| "flow"145| "app"146| "folder"147| "resource"148| "variable"149| "resourcetype"150| "schedule"151| "user"152| "group",153path: string | undefined,154parent_path: string | undefined,155use_individual_branch: boolean,156group_by_folder: boolean157) {158if (!use_individual_branch || path_type === "user" || path_type === "group") {159return;160}161162const branchName = group_by_folder163? `wm_deploy/${workspace_id}/${(path ?? parent_path)164?.split("/")165.slice(0, 2)166.join("__")}`167: `wm_deploy/${workspace_id}/${path_type}/${(168path ?? parent_path169)?.replaceAll("/", "__")}`;170171try {172await sh_run(undefined, "git", "checkout", branchName);173} catch (err) {174console.log(175`Error checking out branch ${branchName}. It is possible it doesn't exist yet, tentatively creating it... Error was:\n${err}`176);177try {178await sh_run(undefined, "git", "checkout", "-b", branchName);179await sh_run(180undefined,181"git",182"config",183"--add",184"--bool",185"push.autoSetupRemote",186"true"187);188} catch (err) {189console.log(190`Error checking out branch '${branchName}'. Error was:\n${err}`191);192throw err;193}194}195console.log(`Successfully switched to branch ${branchName}`);196}197198async function git_push(199path: string | undefined,200parent_path: string | undefined,201commit_msg: string202) {203await sh_run(204undefined,205"git",206"config",207"user.email",208Deno.env.get("WM_EMAIL") ?? ""209);210await sh_run(211undefined,212"git",213"config",214"user.name",215Deno.env.get("WM_USERNAME") ?? ""216);217if (path !== undefined && path !== null && path !== "") {218try {219await sh_run(undefined, "git", "add", `${path}**`);220} catch (e) {221console.log(`Unable to stage files matching ${path}**, ${e}`);222}223}224if (parent_path !== undefined && parent_path !== null && parent_path !== "") {225try {226await sh_run(undefined, "git", "add", `${parent_path}**`);227} catch (e) {228console.log(`Unable to stage files matching ${parent_path}, ${e}`);229}230}231try {232await sh_run(undefined, "git", "diff", "--cached", "--quiet");233} catch {234// git diff returns exit-code = 1 when there's at least one staged changes235await sh_run(undefined, "git", "commit", "-m", commit_msg);236try {237await sh_run(undefined, "git", "push", "--porcelain");238} catch {239console.log("Could not push, trying to rebase first");240await sh_run(undefined, "git", "pull", "--rebase");241await sh_run(undefined, "git", "push", "--porcelain");242}243return;244}245console.log("No changes detected, nothing to commit. Returning...");246}247248async function sh_run(249secret_position: number | undefined,250cmd: string,251...args: string[]252) {253const nargs = secret_position != undefined ? args.slice() : args;254if (secret_position < 0) {255secret_position = nargs.length - 1 + secret_position;256}257if (secret_position != undefined) {258nargs[secret_position] = "***";259}260console.log(`Running '${cmd} ${nargs.join(" ")} ...'`);261const command = new Deno.Command(cmd, {262args: args,263});264265const { code, stdout, stderr } = await command.output();266if (stdout.length > 0) {267console.log(new TextDecoder().decode(stdout));268}269if (stderr.length > 0) {270console.log(new TextDecoder().decode(stderr));271}272if (code !== 0) {273const err = `SH command '${cmd} ${nargs.join(274" "275)}' returned with a non-zero status ${code}.`;276throw Error(err);277}278console.log("Command successfully executed");279}280281function regexFromPath(282path_type:283| "script"284| "flow"285| "app"286| "folder"287| "resource"288| "variable"289| "resourcetype"290| "schedule"291| "user"292| "group",293path: string294) {295if (path_type == "flow") {296return `${path}.flow/*`;297} if (path_type == "app") {298return `${path}.app/*`;299} else if (path_type == "folder") {300return `${path}/folder.meta.*`;301} else if (path_type == "resourcetype") {302return `${path}.resource-type.*`;303} else if (path_type == "resource") {304return `${path}.resource.*`;305} else if (path_type == "variable") {306return `${path}.variable.*`;307} else if (path_type == "schedule") {308return `${path}.schedule.*`;309} else if (path_type == "user") {310return `${path}.user.*`;311} else if (path_type == "group") {312return `${path}.group.*`;313} else {314return `${path}.*`;315}316}317async function wmill_sync_pull(318path_type:319| "script"320| "flow"321| "app"322| "folder"323| "resource"324| "variable"325| "resourcetype"326| "schedule"327| "user"328| "group",329workspace_id: string,330path: string | undefined,331parent_path: string | undefined,332skip_secret: boolean333) {334const includes = [];335if (path !== undefined && path !== null && path !== "") {336includes.push(regexFromPath(path_type, path));337}338if (parent_path !== undefined && parent_path !== null && parent_path !== "") {339includes.push(regexFromPath(path_type, parent_path));340}341342await wmill_run(3436,344"workspace",345"add",346workspace_id,347workspace_id,348Deno.env.get("BASE_INTERNAL_URL") + "/",349"--token",350Deno.env.get("WM_TOKEN") ?? ""351);352console.log("Pulling workspace into git repo");353await wmill_run(3543,355"sync",356"pull",357"--token",358Deno.env.get("WM_TOKEN") ?? "",359"--workspace",360workspace_id,361"--yes",362"--raw",363skip_secret ? "--skip-secrets" : "",364"--include-schedules",365"--include-users",366"--include-groups",367"--includes",368includes.join(",")369);370}371372async function wmill_run(secret_position: number, ...cmd: string[]) {373cmd = cmd.filter((elt) => elt !== "");374const cmd2 = cmd.slice();375cmd2[secret_position] = "***";376console.log(`Running 'wmill ${cmd2.join(" ")} ...'`);377await wmill.parse(cmd);378console.log("Command successfully executed");379}380 - Submitted by rubenfiszel BunCreated 162 days ago
1import * as wmillclient from "windmill-client";2import wmill from "[email protected]";3import { basename } from "node:path";4const util = require("util");5const exec = util.promisify(require("child_process").exec);6import process from "process";78type GpgKey = {9email: string;10private_key: string;11passphrase: string;12};1314const FORKED_WORKSPACE_PREFIX = "wm-fork-";15const FORKED_BRANCH_PREFIX = "wm-fork";1617type PathType =18| "script"19| "flow"20| "app"21| "folder"22| "resource"23| "variable"24| "resourcetype"25| "schedule"26| "user"27| "group"28| "httptrigger"29| "websockettrigger"30| "kafkatrigger"31| "natstrigger"32| "postgrestrigger"33| "mqtttrigger"34| "sqstrigger"35| "gcptrigger"36| "emailtrigger";3738let gpgFingerprint: string | undefined = undefined;3940export async function main(41workspace_id: string,42repo_url_resource_path: string,43path_type: PathType,44skip_secret = true,45path: string | undefined,46parent_path: string | undefined,47commit_msg: string,48parent_workspace_id?: string,49use_individual_branch = false,50group_by_folder = false,51only_create_branch: boolean = false52) {53let safeDirectoryPath: string | undefined;54const repo_resource = await wmillclient.getResource(repo_url_resource_path);55const cwd = process.cwd();56process.env["HOME"] = ".";57if (!only_create_branch) {58console.log(59`Syncing ${path_type} ${path ?? ""} with parent ${parent_path ?? ""}`60);61}6263if (repo_resource.is_github_app) {64const token = await get_gh_app_token();65const authRepoUrl = prependTokenToGitHubUrl(repo_resource.url, token);66repo_resource.url = authRepoUrl;67}6869const { repo_name, safeDirectoryPath: cloneSafeDirectoryPath, clonedBranchName } = await git_clone(cwd, repo_resource, use_individual_branch || workspace_id.startsWith(FORKED_WORKSPACE_PREFIX));70safeDirectoryPath = cloneSafeDirectoryPath;717273// Since we don't modify the resource on the forked workspaces, we have to cosnider the case of74// a fork of a fork workspace. In that case, the original branch is not stored in the resource75// settings, but we need to infer it from the workspace id7677if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {78if (use_individual_branch) {79console.log("Cannot have `use_individual_branch` in a forked workspace, disabling option`");80use_individual_branch = false;81}82if (group_by_folder) {83console.log("Cannot have `group_by_folder` in a forked workspace, disabling option`");84group_by_folder = false;85}86}8788if (parent_workspace_id && parent_workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {89const parentBranch = get_fork_branch_name(parent_workspace_id, clonedBranchName);90console.log(`This workspace's parent is also a fork, moving to branch ${parentBranch} in case a new branch needs to be created with the appropriate root`);91await move_to_git_branch(92parent_workspace_id,93path_type,94path,95parent_path,96use_individual_branch,97group_by_folder,98clonedBranchName99);100}101102await move_to_git_branch(103workspace_id,104path_type,105path,106parent_path,107use_individual_branch,108group_by_folder,109clonedBranchName110);111112113const subfolder = repo_resource.folder ?? "";114const branch_or_default = repo_resource.branch ?? "<DEFAULT>";115console.log(116`Pushing to repository ${repo_name} in subfolder ${subfolder} on branch ${branch_or_default}`117);118119// If we want to just create the branch, we can skip pulling the changes.120if (!only_create_branch) {121await wmill_sync_pull(122path_type,123workspace_id,124path,125parent_path,126skip_secret,127repo_url_resource_path,128use_individual_branch,129repo_resource.branch130);131}132try {133await git_push(path, parent_path, commit_msg, repo_resource, only_create_branch);134} catch (e) {135throw e;136} finally {137await delete_pgp_keys();138// Cleanup: remove safe.directory config139if (safeDirectoryPath) {140try {141await sh_run(undefined, "git", "config", "--global", "--unset", "safe.directory", safeDirectoryPath);142} catch (e) {143console.log(`Warning: Could not unset safe.directory config: ${e}`);144}145}146}147console.log("Finished syncing");148process.chdir(`${cwd}`);149}150151function get_fork_branch_name(w_id: string, originalBranch: string): string {152if (w_id.startsWith(FORKED_WORKSPACE_PREFIX)) {153return w_id.replace(FORKED_WORKSPACE_PREFIX, `${FORKED_BRANCH_PREFIX}/${originalBranch}/`);154}155return w_id;156}157158async function git_clone(159cwd: string,160repo_resource: any,161no_single_branch: boolean,162): Promise<{ repo_name: string; safeDirectoryPath: string; clonedBranchName: string }> {163// TODO: handle private SSH keys as well164let repo_url = repo_resource.url;165const subfolder = repo_resource.folder ?? "";166const branch = repo_resource.branch ?? "";167const repo_name = basename(repo_url, ".git");168const azureMatch = repo_url.match(/AZURE_DEVOPS_TOKEN\((?<url>.+)\)/);169if (azureMatch) {170console.log(171"Requires Azure DevOps service account access token, requesting..."172);173const azureResource = await wmillclient.getResource(azureMatch.groups.url);174const response = await fetch(175`https://login.microsoftonline.com/${azureResource.azureTenantId}/oauth2/token`,176{177method: "POST",178body: new URLSearchParams({179client_id: azureResource.azureClientId,180client_secret: azureResource.azureClientSecret,181grant_type: "client_credentials",182resource: "499b84ac-1321-427f-aa17-267ca6975798/.default",183}),184}185);186const { access_token } = await response.json();187repo_url = repo_url.replace(azureMatch[0], access_token);188}189const args = ["clone", "--quiet", "--depth", "1"];190if (no_single_branch) {191args.push("--no-single-branch"); // needed in case the asset branch already exists in the repo192}193if (subfolder !== "") {194args.push("--sparse");195}196if (branch !== "") {197args.push("--branch");198args.push(branch);199}200args.push(repo_url);201args.push(repo_name);202await sh_run(-1, "git", ...args);203try {204process.chdir(`${cwd}/${repo_name}`);205const safeDirectoryPath = process.cwd();206// Add safe.directory to handle dubious ownership in cloned repo207try {208await sh_run(undefined, "git", "config", "--global", "--add", "safe.directory", process.cwd());209} catch (e) {210console.log(`Warning: Could not add safe.directory config: ${e}`);211}212213if (subfolder !== "") {214await sh_run(undefined, "git", "sparse-checkout", "add", subfolder);215try {216process.chdir(`${cwd}/${repo_name}/${subfolder}`);217} catch (err) {218console.log(219`Error changing directory to '${cwd}/${repo_name}/${subfolder}'. Error was:\n${err}`220);221throw err;222}223}224const clonedBranchName = (await sh_run(undefined, "git", "rev-parse", "--abbrev-ref", "HEAD")).trim();225return { repo_name, safeDirectoryPath, clonedBranchName };226227} catch (err) {228console.log(229`Error changing directory to '${cwd}/${repo_name}'. Error was:\n${err}`230);231throw err;232}233}234async function move_to_git_branch(235workspace_id: string,236path_type: PathType,237path: string | undefined,238parent_path: string | undefined,239use_individual_branch: boolean,240group_by_folder: boolean,241originalBranchName: string242) {243let branchName;244if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {245branchName = get_fork_branch_name(workspace_id, originalBranchName);246} else {247if (!use_individual_branch || path_type === "user" || path_type === "group") {248return;249}250branchName = group_by_folder251? `wm_deploy/${workspace_id}/${(path ?? parent_path)252?.split("/")253.slice(0, 2)254.join("__")}`255: `wm_deploy/${workspace_id}/${path_type}/${(256path ?? parent_path257)?.replaceAll("/", "__")}`;258}259260try {261await sh_run(undefined, "git", "checkout", branchName);262} catch (err) {263console.log(264`Error checking out branch ${branchName}. It is possible it doesn't exist yet, tentatively creating it... Error was:\n${err}`265);266try {267await sh_run(undefined, "git", "checkout", "-b", branchName);268await sh_run(269undefined,270"git",271"config",272"--add",273"--bool",274"push.autoSetupRemote",275"true"276);277} catch (err) {278console.log(279`Error checking out branch '${branchName}'. Error was:\n${err}`280);281throw err;282}283}284console.log(`Successfully switched to branch ${branchName}`);285}286async function git_push(287path: string | undefined,288parent_path: string | undefined,289commit_msg: string,290repo_resource: any,291only_create_branch: boolean,292) {293let user_email = process.env["WM_EMAIL"] ?? "";294let user_name = process.env["WM_USERNAME"] ?? "";295296if (repo_resource.gpg_key) {297await set_gpg_signing_secret(repo_resource.gpg_key);298// Configure git with GPG key email for signing299await sh_run(300undefined,301"git",302"config",303"user.email",304repo_resource.gpg_key.email305);306await sh_run(undefined, "git", "config", "user.name", user_name);307} else {308await sh_run(undefined, "git", "config", "user.email", user_email);309await sh_run(undefined, "git", "config", "user.name", user_name);310}311if (only_create_branch) {312await sh_run(undefined, "git", "push", "--porcelain");313}314315if (path !== undefined && path !== null && path !== "") {316try {317await sh_run(undefined, "git", "add", "wmill-lock.yaml", `${path}**`);318} catch (e) {319console.log(`Unable to stage files matching ${path}**, ${e}`);320}321}322if (parent_path !== undefined && parent_path !== null && parent_path !== "") {323try {324await sh_run(325undefined,326"git",327"add",328"wmill-lock.yaml",329`${parent_path}**`330);331} catch (e) {332console.log(`Unable to stage files matching ${parent_path}, ${e}`);333}334}335try {336await sh_run(undefined, "git", "diff", "--cached", "--quiet");337} catch {338// git diff returns exit-code = 1 when there's at least one staged changes339const commitArgs = ["git", "commit"];340341// Always use --author to set consistent authorship342commitArgs.push("--author", `"${user_name} <${user_email}>"`);343commitArgs.push(344"-m",345`"${commit_msg == undefined || commit_msg == "" ? "no commit msg" : commit_msg}"`346);347348await sh_run(undefined, ...commitArgs);349try {350await sh_run(undefined, "git", "push", "--porcelain");351} catch (e) {352console.log(`Could not push, trying to rebase first: ${e}`);353await sh_run(undefined, "git", "pull", "--rebase");354await sh_run(undefined, "git", "push", "--porcelain");355}356return;357}358console.log("No changes detected, nothing to commit. Returning...");359}360async function sh_run(361secret_position: number | undefined,362cmd: string,363...args: string[]364) {365const nargs = secret_position != undefined ? args.slice() : args;366if (secret_position && secret_position < 0) {367secret_position = nargs.length - 1 + secret_position;368}369let secret: string | undefined = undefined;370if (secret_position != undefined) {371nargs[secret_position] = "***";372secret = args[secret_position];373}374375console.log(`Running '${cmd} ${nargs.join(" ")} ...'`);376const command = exec(`${cmd} ${args.join(" ")}`);377// new Deno.Command(cmd, {378// args: args,379// });380try {381const { stdout, stderr } = await command;382if (stdout.length > 0) {383console.log(stdout);384}385if (stderr.length > 0) {386console.log(stderr);387}388console.log("Command successfully executed");389return stdout;390} catch (error) {391let errorString = error.toString();392if (secret) {393errorString = errorString.replace(secret, "***");394}395const err = `SH command '${cmd} ${nargs.join(396" "397)}' returned with error ${errorString}`;398throw Error(err);399}400}401402function regexFromPath(path_type: PathType, path: string) {403if (path_type == "flow") {404return `${path}.flow/*`;405}406if (path_type == "app") {407return `${path}.app/*`;408} else if (path_type == "folder") {409return `${path}/folder.meta.*`;410} else if (path_type == "resourcetype") {411return `${path}.resource-type.*`;412} else if (path_type == "resource") {413return `${path}.resource.*`;414} else if (path_type == "variable") {415return `${path}.variable.*`;416} else if (path_type == "schedule") {417return `${path}.schedule.*`;418} else if (path_type == "user") {419return `${path}.user.*`;420} else if (path_type == "group") {421return `${path}.group.*`;422} else if (path_type == "httptrigger") {423return `${path}.http_trigger.*`;424} else if (path_type == "websockettrigger") {425return `${path}.websocket_trigger.*`;426} else if (path_type == "kafkatrigger") {427return `${path}.kafka_trigger.*`;428} else if (path_type == "natstrigger") {429return `${path}.nats_trigger.*`;430} else if (path_type == "postgrestrigger") {431return `${path}.postgres_trigger.*`;432} else if (path_type == "mqtttrigger") {433return `${path}.mqtt_trigger.*`;434} else if (path_type == "sqstrigger") {435return `${path}.sqs_trigger.*`;436} else if (path_type == "gcptrigger") {437return `${path}.gcp_trigger.*`;438} else if (path_type == "emailtrigger") {439return `${path}.email_trigger.*`;440} else {441return `${path}.*`;442}443}444445async function wmill_sync_pull(446path_type: PathType,447workspace_id: string,448path: string | undefined,449parent_path: string | undefined,450skip_secret: boolean,451repo_url_resource_path: string,452use_individual_branch: boolean,453original_branch?: string454) {455const includes = [];456if (path !== undefined && path !== null && path !== "") {457includes.push(regexFromPath(path_type, path));458}459if (parent_path !== undefined && parent_path !== null && parent_path !== "") {460includes.push(regexFromPath(path_type, parent_path));461}462463console.log("Pulling workspace into git repo");464465const args = [466"sync",467"pull",468"--token",469process.env["WM_TOKEN"] ?? "",470"--workspace",471workspace_id,472"--base-url",473process.env["BASE_URL"] + "/",474"--repository",475repo_url_resource_path,476"--yes",477skip_secret ? "--skip-secrets" : "",478];479480if (path_type === "schedule" && !use_individual_branch) {481args.push("--include-schedules");482}483484if (path_type === "group" && !use_individual_branch) {485args.push("--include-groups");486}487488if (path_type === "user" && !use_individual_branch) {489args.push("--include-users");490}491492if (path_type.includes("trigger") && !use_individual_branch) {493args.push("--include-triggers");494}495// Only include settings when specifically deploying settings496if (path_type === "settings" && !use_individual_branch) {497args.push("--include-settings");498}499500// Only include key when specifically deploying keys501if (path_type === "key" && !use_individual_branch) {502args.push("--include-key");503}504505args.push("--extra-includes", includes.join(","));506507// If using individual branches, apply promotion settings from original branch508if (use_individual_branch && original_branch) {509console.log(`Individual branch deployment detected - using promotion settings from '${original_branch}'`);510args.push("--promotion", original_branch);511}512513await wmill_run(3, ...args);514}515516async function wmill_run(secret_position: number, ...cmd: string[]) {517cmd = cmd.filter((elt) => elt !== "");518const cmd2 = cmd.slice();519cmd2[secret_position] = "***";520console.log(`Running 'wmill ${cmd2.join(" ")} ...'`);521await wmill.parse(cmd);522console.log("Command successfully executed");523}524525// Function to set up GPG signing526async function set_gpg_signing_secret(gpg_key: GpgKey) {527try {528console.log("Setting GPG private key for git commits");529530const formattedGpgContent = gpg_key.private_key.replace(531/(-----BEGIN PGP PRIVATE KEY BLOCK-----)([\s\S]*?)(-----END PGP PRIVATE KEY BLOCK-----)/,532(_: string, header: string, body: string, footer: string) =>533header +534"\n" +535"\n" +536body.replace(/ ([^\s])/g, "\n$1").trim() +537"\n" +538footer539);540541const gpg_path = `/tmp/gpg`;542await sh_run(undefined, "mkdir", "-p", gpg_path);543await sh_run(undefined, "chmod", "700", gpg_path);544process.env.GNUPGHOME = gpg_path;545// process.env.GIT_TRACE = 1;546547try {548await sh_run(5491,550"bash",551"-c",552`cat <<EOF | gpg --batch --import \n${formattedGpgContent}\nEOF`553);554} catch (e) {555// Original error would contain sensitive data556throw new Error("Failed to import GPG key!");557}558559const listKeysOutput = await sh_run(560undefined,561"gpg",562"--list-secret-keys",563"--with-colons",564"--keyid-format=long"565);566567const keyInfoMatch = listKeysOutput.match(568/sec:[^:]*:[^:]*:[^:]*:([A-F0-9]+):.*\nfpr:::::::::([A-F0-9]{40}):/569);570571if (!keyInfoMatch) {572throw new Error("Failed to extract GPG Key ID and Fingerprint");573}574575const keyId = keyInfoMatch[1];576gpgFingerprint = keyInfoMatch[2];577578if (gpg_key.passphrase) {579// This is adummy command to unlock the key580// with passphrase to load it into agent581await sh_run(5821,583"bash",584"-c",585`echo "dummy" | gpg --batch --pinentry-mode loopback --passphrase '${gpg_key.passphrase}' --status-fd=2 -bsau ${keyId}`586);587}588589// Configure Git to use the extracted key590await sh_run(undefined, "git", "config", "user.signingkey", keyId);591await sh_run(undefined, "git", "config", "commit.gpgsign", "true");592console.log(`GPG signing configured with key ID: ${keyId} `);593} catch (e) {594console.error(`Failure while setting GPG key: ${e} `);595await delete_pgp_keys();596}597}598599async function delete_pgp_keys() {600console.log("deleting gpg keys");601if (gpgFingerprint) {602await sh_run(603undefined,604"gpg",605"--batch",606"--yes",607"--pinentry-mode",608"loopback",609"--delete-secret-key",610gpgFingerprint611);612await sh_run(613undefined,614"gpg",615"--batch",616"--yes",617"--delete-key",618"--pinentry-mode",619"loopback",620gpgFingerprint621);622}623}624625async function get_gh_app_token() {626const workspace = process.env["WM_WORKSPACE"];627const jobToken = process.env["WM_TOKEN"];628629const baseUrl =630process.env["BASE_INTERNAL_URL"] ??631process.env["BASE_URL"] ??632"http://localhost:8000";633634const url = `${baseUrl}/api/w/${workspace}/github_app/token`;635636const response = await fetch(url, {637method: "POST",638headers: {639"Content-Type": "application/json",640Authorization: `Bearer ${jobToken}`,641},642body: JSON.stringify({643job_token: jobToken,644}),645});646647if (!response.ok) {648throw new Error(`Error: ${response.statusText}`);649}650651const data = await response.json();652653return data.token;654}655656function prependTokenToGitHubUrl(gitHubUrl: string, installationToken: string) {657if (!gitHubUrl || !installationToken) {658throw new Error("Both GitHub URL and Installation Token are required.");659}660661try {662const url = new URL(gitHubUrl);663664// GitHub repository URL should be in the format: https://github.com/owner/repo.git665if (url.hostname !== "github.com") {666throw new Error(667"Invalid GitHub URL. Must be in the format 'https://github.com/owner/repo.git'."668);669}670671// Convert URL to include the installation token672return `https://x-access-token:${installationToken}@github.com${url.pathname}`;673} catch (e) {674const error = e as Error;675throw new Error(`Invalid URL: ${error.message}`);676}677}678 - Submitted by pyranota275 BunCreated 135 days ago
1import * as wmillclient from "windmill-client";2import wmill from "[email protected]";3import { basename } from "node:path";4const util = require("util");5const exec = util.promisify(require("child_process").exec);6import process from "process";78type GpgKey = {9email: string;10private_key: string;11passphrase: string;12};1314const FORKED_WORKSPACE_PREFIX = "wm-fork-";15const FORKED_BRANCH_PREFIX = "wm-fork";1617type PathType =18| "script"19| "flow"20| "app"21| "folder"22| "resource"23| "variable"24| "resourcetype"25| "schedule"26| "user"27| "group"28| "httptrigger"29| "websockettrigger"30| "kafkatrigger"31| "natstrigger"32| "postgrestrigger"33| "mqtttrigger"34| "sqstrigger"35| "gcptrigger"36| "emailtrigger";3738type SyncObject = {39path_type: PathType;40path: string | undefined;41parent_path: string | undefined;42commit_msg: string;43};4445let gpgFingerprint: string | undefined = undefined;4647export async function main(48items: SyncObject[],49// Compat, do not use in code, rely on `items` instead50path_type: PathType | undefined,51path: string | undefined,52parent_path: string | undefined,53commit_msg: string | undefined,54//55workspace_id: string,56repo_url_resource_path: string,57skip_secret: boolean = true,58use_individual_branch: boolean = false,59group_by_folder: boolean = false,60only_create_branch: boolean = false,61parent_workspace_id?: string,62) {6364if (path_type !== undefined && commit_msg !== undefined) {65items = [{66path_type,67path,68parent_path,69commit_msg,70}];71}72await inner(items, workspace_id, repo_url_resource_path, skip_secret, use_individual_branch, group_by_folder, only_create_branch, parent_workspace_id);73}7475async function inner(76items: SyncObject[],77workspace_id: string,78repo_url_resource_path: string,79skip_secret: boolean = true,80use_individual_branch: boolean = false,81group_by_folder: boolean = false,82only_create_branch: boolean = false,83parent_workspace_id?: string,84) {8586let safeDirectoryPath: string | undefined;87const repo_resource = await wmillclient.getResource(repo_url_resource_path);88const cwd = process.cwd();89process.env["HOME"] = ".";90if (!only_create_branch) {91for (const item of items) {92console.log(93`Syncing ${item.path_type} ${item.path ?? ""} with parent ${item.parent_path ?? ""}`94);95}96}9798if (repo_resource.is_github_app) {99const token = await get_gh_app_token();100const authRepoUrl = prependTokenToGitHubUrl(repo_resource.url, token);101repo_resource.url = authRepoUrl;102}103104const { repo_name, safeDirectoryPath: cloneSafeDirectoryPath, clonedBranchName } = await git_clone(cwd, repo_resource, use_individual_branch || workspace_id.startsWith(FORKED_WORKSPACE_PREFIX));105safeDirectoryPath = cloneSafeDirectoryPath;106107108// Since we don't modify the resource on the forked workspaces, we have to cosnider the case of109// a fork of a fork workspace. In that case, the original branch is not stored in the resource110// settings, but we need to infer it from the workspace id111112if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {113if (use_individual_branch) {114console.log("Cannot have `use_individual_branch` in a forked workspace, disabling option`");115use_individual_branch = false;116}117if (group_by_folder) {118console.log("Cannot have `group_by_folder` in a forked workspace, disabling option`");119group_by_folder = false;120}121}122123if (parent_workspace_id && parent_workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {124const parentBranch = get_fork_branch_name(parent_workspace_id, clonedBranchName);125console.log(`This workspace's parent is also a fork, moving to branch ${parentBranch} in case a new branch needs to be created with the appropriate root`);126await git_checkout_branch(127items,128parent_workspace_id,129use_individual_branch,130group_by_folder,131clonedBranchName132);133}134135await git_checkout_branch(136items,137workspace_id,138use_individual_branch,139group_by_folder,140clonedBranchName141);142143144const subfolder = repo_resource.folder ?? "";145const branch_or_default = repo_resource.branch ?? "<DEFAULT>";146console.log(147`Pushing to repository ${repo_name} in subfolder ${subfolder} on branch ${branch_or_default}`148);149150// If we want to just create the branch, we can skip pulling the changes.151if (!only_create_branch) {152await wmill_sync_pull(153items,154workspace_id,155skip_secret,156repo_url_resource_path,157use_individual_branch,158repo_resource.branch159);160}161try {162await git_push(items, repo_resource, only_create_branch);163} catch (e) {164throw e;165} finally {166await delete_pgp_keys();167// Cleanup: remove safe.directory config168if (safeDirectoryPath) {169try {170await sh_run(undefined, "git", "config", "--global", "--unset", "safe.directory", safeDirectoryPath);171} catch (e) {172console.log(`Warning: Could not unset safe.directory config: ${e}`);173}174}175}176console.log("Finished syncing");177process.chdir(`${cwd}`);178}179180181function get_fork_branch_name(w_id: string, originalBranch: string): string {182if (w_id.startsWith(FORKED_WORKSPACE_PREFIX)) {183return w_id.replace(FORKED_WORKSPACE_PREFIX, `${FORKED_BRANCH_PREFIX}/${originalBranch}/`);184}185return w_id;186}187188async function git_clone(189cwd: string,190repo_resource: any,191no_single_branch: boolean,192): Promise<{ repo_name: string; safeDirectoryPath: string; clonedBranchName: string }> {193// TODO: handle private SSH keys as well194let repo_url = repo_resource.url;195const subfolder = repo_resource.folder ?? "";196const branch = repo_resource.branch ?? "";197const repo_name = basename(repo_url, ".git");198const azureMatch = repo_url.match(/AZURE_DEVOPS_TOKEN\((?<url>.+)\)/);199if (azureMatch) {200console.log(201"Requires Azure DevOps service account access token, requesting..."202);203const azureResource = await wmillclient.getResource(azureMatch.groups.url);204const response = await fetch(205`https://login.microsoftonline.com/${azureResource.azureTenantId}/oauth2/token`,206{207method: "POST",208body: new URLSearchParams({209client_id: azureResource.azureClientId,210client_secret: azureResource.azureClientSecret,211grant_type: "client_credentials",212resource: "499b84ac-1321-427f-aa17-267ca6975798/.default",213}),214}215);216const { access_token } = await response.json();217repo_url = repo_url.replace(azureMatch[0], access_token);218}219const args = ["clone", "--quiet", "--depth", "1"];220if (no_single_branch) {221args.push("--no-single-branch"); // needed in case the asset branch already exists in the repo222}223if (subfolder !== "") {224args.push("--sparse");225}226if (branch !== "") {227args.push("--branch");228args.push(branch);229}230args.push(repo_url);231args.push(repo_name);232await sh_run(-1, "git", ...args);233try {234process.chdir(`${cwd}/${repo_name}`);235const safeDirectoryPath = process.cwd();236// Add safe.directory to handle dubious ownership in cloned repo237try {238await sh_run(undefined, "git", "config", "--global", "--add", "safe.directory", process.cwd());239} catch (e) {240console.log(`Warning: Could not add safe.directory config: ${e}`);241}242243if (subfolder !== "") {244await sh_run(undefined, "git", "sparse-checkout", "add", subfolder);245try {246process.chdir(`${cwd}/${repo_name}/${subfolder}`);247} catch (err) {248console.log(249`Error changing directory to '${cwd}/${repo_name}/${subfolder}'. Error was:\n${err}`250);251throw err;252}253}254const clonedBranchName = (await sh_run(undefined, "git", "rev-parse", "--abbrev-ref", "HEAD")).trim();255return { repo_name, safeDirectoryPath, clonedBranchName };256257} catch (err) {258console.log(259`Error changing directory to '${cwd}/${repo_name}'. Error was:\n${err}`260);261throw err;262}263}264async function git_checkout_branch(265items: SyncObject[],266workspace_id: string,267use_individual_branch: boolean,268group_by_folder: boolean,269originalBranchName: string270) {271let branchName;272if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {273branchName = get_fork_branch_name(workspace_id, originalBranchName);274} else {275276if (!use_individual_branch277// If individual branch is true, we can assume items is of length 1, as debouncing is disabled for jobs with this flag278|| items[0].path_type === "user" || items[0].path_type === "group") {279return;280}281282// as mentioned above, it is safe to assume that items.len is 1283const [path, parent_path] = [items[0].path, items[0].parent_path];284branchName = group_by_folder285? `wm_deploy/${workspace_id}/${(path ?? parent_path)286?.split("/")287.slice(0, 2)288.join("__")}`289: `wm_deploy/${workspace_id}/${items[0].path_type}/${(290path ?? parent_path291)?.replaceAll("/", "__")}`;292}293294try {295await sh_run(undefined, "git", "checkout", branchName);296} catch (err) {297console.log(298`Error checking out branch ${branchName}. It is possible it doesn't exist yet, tentatively creating it... Error was:\n${err}`299);300try {301await sh_run(undefined, "git", "checkout", "-b", branchName);302await sh_run(303undefined,304"git",305"config",306"--add",307"--bool",308"push.autoSetupRemote",309"true"310);311} catch (err) {312console.log(313`Error checking out branch '${branchName}'. Error was:\n${err}`314);315throw err;316}317}318console.log(`Successfully switched to branch ${branchName}`);319}320321function composeCommitHeader(items: SyncObject[]): string {322// Count occurrences of each path_type323const typeCounts = new Map<PathType, number>();324for (const item of items) {325typeCounts.set(item.path_type, (typeCounts.get(item.path_type) ?? 0) + 1);326}327328// Sort by count descending to get the top 2329const sortedTypes = Array.from(typeCounts.entries()).sort((a, b) => b[1] - a[1]);330331const parts: string[] = [];332let othersCount = 0;333334for (let i = 0; i < sortedTypes.length; i++) {335const [pathType, count] = sortedTypes[i];336if (i < 3) {337// Pluralize the path type if count > 1338const label = count > 1 ? `${pathType}s` : pathType;339340if (i == 2 && sortedTypes.length == 3) {341parts.push(`and ${count} ${label}`);342} else {343parts.push(`${count} ${label}`);344}345} else {346othersCount += count;347}348}349350let header = `[WM] Deployed ${parts.join(", ")}`;351if (othersCount > 0) {352header += ` and ${othersCount} other object${othersCount > 1 ? "s" : ""}`;353}354355return header;356}357358async function git_push(359items: SyncObject[],360repo_resource: any,361only_create_branch: boolean,362) {363let user_email = process.env["WM_EMAIL"] ?? "";364let user_name = process.env["WM_USERNAME"] ?? "";365366if (repo_resource.gpg_key) {367await set_gpg_signing_secret(repo_resource.gpg_key);368// Configure git with GPG key email for signing369await sh_run(370undefined,371"git",372"config",373"user.email",374repo_resource.gpg_key.email375);376await sh_run(undefined, "git", "config", "user.name", user_name);377} else {378await sh_run(undefined, "git", "config", "user.email", user_email);379await sh_run(undefined, "git", "config", "user.name", user_name);380}381if (only_create_branch) {382await sh_run(undefined, "git", "push", "--porcelain");383}384385let commit_description: string[] = [];386for (const { path, parent_path, commit_msg } of items) {387if (path !== undefined && path !== null && path !== "") {388try {389await sh_run(undefined, "git", "add", "wmill-lock.yaml", `${path}**`);390} catch (e) {391console.log(`Unable to stage files matching ${path}**, ${e}`);392}393}394if (parent_path !== undefined && parent_path !== null && parent_path !== "") {395try {396await sh_run(397undefined,398"git",399"add",400"wmill-lock.yaml",401`${parent_path}**`402);403} catch (e) {404console.log(`Unable to stage files matching ${parent_path}, ${e}`);405}406}407408commit_description.push(commit_msg);409}410411try {412await sh_run(undefined, "git", "diff", "--cached", "--quiet");413} catch {414// git diff returns exit-code = 1 when there's at least one staged changes415const commitArgs = ["git", "commit"];416417// Always use --author to set consistent authorship418commitArgs.push("--author", `"${user_name} <${user_email}>"`);419420const [header, description] = (commit_description.length == 1)421? [commit_description[0], ""]422: [composeCommitHeader(items), commit_description.join("\n")];423424commitArgs.push(425"-m",426`"${header == undefined || header == "" ? "no commit msg" : header}"`,427"-m",428`"${description}"`429);430431await sh_run(undefined, ...commitArgs);432try {433await sh_run(undefined, "git", "push", "--porcelain");434} catch (e) {435console.log(`Could not push, trying to rebase first: ${e}`);436await sh_run(undefined, "git", "pull", "--rebase");437await sh_run(undefined, "git", "push", "--porcelain");438}439return;440}441442console.log("No changes detected, nothing to commit. Returning...");443}444async function sh_run(445secret_position: number | undefined,446cmd: string,447...args: string[]448) {449const nargs = secret_position != undefined ? args.slice() : args;450if (secret_position && secret_position < 0) {451secret_position = nargs.length - 1 + secret_position;452}453let secret: string | undefined = undefined;454if (secret_position != undefined) {455nargs[secret_position] = "***";456secret = args[secret_position];457}458459console.log(`Running '${cmd} ${nargs.join(" ")} ...'`);460const command = exec(`${cmd} ${args.join(" ")}`);461// new Deno.Command(cmd, {462// args: args,463// });464try {465const { stdout, stderr } = await command;466if (stdout.length > 0) {467console.log(stdout);468}469if (stderr.length > 0) {470console.log(stderr);471}472console.log("Command successfully executed");473return stdout;474} catch (error) {475let errorString = error.toString();476if (secret) {477errorString = errorString.replace(secret, "***");478}479const err = `SH command '${cmd} ${nargs.join(480" "481)}' returned with error ${errorString}`;482throw Error(err);483}484}485486function regexFromPath(path_type: PathType, path: string) {487if (path_type == "flow") {488return `${path}.flow/*`;489}490if (path_type == "app") {491return `${path}.app/*`;492} else if (path_type == "folder") {493return `${path}/folder.meta.*`;494} else if (path_type == "resourcetype") {495return `${path}.resource-type.*`;496} else if (path_type == "resource") {497return `${path}.resource.*`;498} else if (path_type == "variable") {499return `${path}.variable.*`;500} else if (path_type == "schedule") {501return `${path}.schedule.*`;502} else if (path_type == "user") {503return `${path}.user.*`;504} else if (path_type == "group") {505return `${path}.group.*`;506} else if (path_type == "httptrigger") {507return `${path}.http_trigger.*`;508} else if (path_type == "websockettrigger") {509return `${path}.websocket_trigger.*`;510} else if (path_type == "kafkatrigger") {511return `${path}.kafka_trigger.*`;512} else if (path_type == "natstrigger") {513return `${path}.nats_trigger.*`;514} else if (path_type == "postgrestrigger") {515return `${path}.postgres_trigger.*`;516} else if (path_type == "mqtttrigger") {517return `${path}.mqtt_trigger.*`;518} else if (path_type == "sqstrigger") {519return `${path}.sqs_trigger.*`;520} else if (path_type == "gcptrigger") {521return `${path}.gcp_trigger.*`;522} else if (path_type == "emailtrigger") {523return `${path}.email_trigger.*`;524} else {525return `${path}.*`;526}527}528529async function wmill_sync_pull(530items: SyncObject[],531workspace_id: string,532skip_secret: boolean,533repo_url_resource_path: string,534use_individual_branch: boolean,535original_branch?: string536) {537const includes = [];538for (const item of items) {539const { path_type, path, parent_path } = item;540if (path !== undefined && path !== null && path !== "") {541includes.push(regexFromPath(path_type, path));542}543if (parent_path !== undefined && parent_path !== null && parent_path !== "") {544includes.push(regexFromPath(path_type, parent_path));545}546}547548console.log("Pulling workspace into git repo");549550const args = [551"sync",552"pull",553"--token",554process.env["WM_TOKEN"] ?? "",555"--workspace",556workspace_id,557"--base-url",558process.env["BASE_URL"] + "/",559"--repository",560repo_url_resource_path,561"--yes",562skip_secret ? "--skip-secrets" : "",563];564565if (items.some(item => item.path_type === "schedule") && !use_individual_branch) {566args.push("--include-schedules");567}568569if (items.some(item => item.path_type === "group") && !use_individual_branch) {570args.push("--include-groups");571}572573if (items.some(item => item.path_type === "user") && !use_individual_branch) {574args.push("--include-users");575}576577if (items.some(item => item.path_type.includes("trigger")) && !use_individual_branch) {578args.push("--include-triggers");579}580// Only include settings when specifically deploying settings581if (items.some(item => item.path_type === "settings") && !use_individual_branch) {582args.push("--include-settings");583}584585// Only include key when specifically deploying keys586if (items.some(item => item.path_type === "key") && !use_individual_branch) {587args.push("--include-key");588}589590args.push("--extra-includes", includes.join(","));591592// If using individual branches, apply promotion settings from original branch593if (use_individual_branch && original_branch) {594console.log(`Individual branch deployment detected - using promotion settings from '${original_branch}'`);595args.push("--promotion", original_branch);596}597598await wmill_run(3, ...args);599}600601async function wmill_run(secret_position: number, ...cmd: string[]) {602cmd = cmd.filter((elt) => elt !== "");603const cmd2 = cmd.slice();604cmd2[secret_position] = "***";605console.log(`Running 'wmill ${cmd2.join(" ")} ...'`);606await wmill.parse(cmd);607console.log("Command successfully executed");608}609610// Function to set up GPG signing611async function set_gpg_signing_secret(gpg_key: GpgKey) {612try {613console.log("Setting GPG private key for git commits");614615const formattedGpgContent = gpg_key.private_key.replace(616/(-----BEGIN PGP PRIVATE KEY BLOCK-----)([\s\S]*?)(-----END PGP PRIVATE KEY BLOCK-----)/,617(_: string, header: string, body: string, footer: string) =>618header +619"\n" +620"\n" +621body.replace(/ ([^\s])/g, "\n$1").trim() +622"\n" +623footer624);625626const gpg_path = `/tmp/gpg`;627await sh_run(undefined, "mkdir", "-p", gpg_path);628await sh_run(undefined, "chmod", "700", gpg_path);629process.env.GNUPGHOME = gpg_path;630// process.env.GIT_TRACE = 1;631632try {633await sh_run(6341,635"bash",636"-c",637`cat <<EOF | gpg --batch --import \n${formattedGpgContent}\nEOF`638);639} catch (e) {640// Original error would contain sensitive data641throw new Error("Failed to import GPG key!");642}643644const listKeysOutput = await sh_run(645undefined,646"gpg",647"--list-secret-keys",648"--with-colons",649"--keyid-format=long"650);651652const keyInfoMatch = listKeysOutput.match(653/sec:[^:]*:[^:]*:[^:]*:([A-F0-9]+):.*\nfpr:::::::::([A-F0-9]{40}):/654);655656if (!keyInfoMatch) {657throw new Error("Failed to extract GPG Key ID and Fingerprint");658}659660const keyId = keyInfoMatch[1];661gpgFingerprint = keyInfoMatch[2];662663if (gpg_key.passphrase) {664// This is adummy command to unlock the key665// with passphrase to load it into agent666await sh_run(6671,668"bash",669"-c",670`echo "dummy" | gpg --batch --pinentry-mode loopback --passphrase '${gpg_key.passphrase}' --status-fd=2 -bsau ${keyId}`671);672}673674// Configure Git to use the extracted key675await sh_run(undefined, "git", "config", "user.signingkey", keyId);676await sh_run(undefined, "git", "config", "commit.gpgsign", "true");677console.log(`GPG signing configured with key ID: ${keyId} `);678} catch (e) {679console.error(`Failure while setting GPG key: ${e} `);680await delete_pgp_keys();681}682}683684async function delete_pgp_keys() {685console.log("deleting gpg keys");686if (gpgFingerprint) {687await sh_run(688undefined,689"gpg",690"--batch",691"--yes",692"--pinentry-mode",693"loopback",694"--delete-secret-key",695gpgFingerprint696);697await sh_run(698undefined,699"gpg",700"--batch",701"--yes",702"--delete-key",703"--pinentry-mode",704"loopback",705gpgFingerprint706);707}708}709710async function get_gh_app_token() {711const workspace = process.env["WM_WORKSPACE"];712const jobToken = process.env["WM_TOKEN"];713714const baseUrl =715process.env["BASE_INTERNAL_URL"] ??716process.env["BASE_URL"] ??717"http://localhost:8000";718719const url = `${baseUrl}/api/w/${workspace}/github_app/token`;720721const response = await fetch(url, {722method: "POST",723headers: {724"Content-Type": "application/json",725Authorization: `Bearer ${jobToken}`,726},727body: JSON.stringify({728job_token: jobToken,729}),730});731732if (!response.ok) {733throw new Error(`Error: ${response.statusText}`);734}735736const data = await response.json();737738return data.token;739}740741function prependTokenToGitHubUrl(gitHubUrl: string, installationToken: string) {742if (!gitHubUrl || !installationToken) {743throw new Error("Both GitHub URL and Installation Token are required.");744}745746try {747const url = new URL(gitHubUrl);748749// GitHub repository URL should be in the format: https://github.com/owner/repo.git750if (url.hostname !== "github.com") {751throw new Error(752"Invalid GitHub URL. Must be in the format 'https://github.com/owner/repo.git'."753);754}755756// Convert URL to include the installation token757return `https://x-access-token:${installationToken}@github.com${url.pathname}`;758} catch (e) {759const error = e as Error;760throw new Error(`Invalid URL: ${error.message}`);761}762} - Submitted by pyranota275 BunCreated 136 days ago
1import * as wmillclient from "windmill-client";2import wmill from "[email protected]";3import { basename } from "node:path";4const util = require("util");5const exec = util.promisify(require("child_process").exec);6import process from "process";78type GpgKey = {9email: string;10private_key: string;11passphrase: string;12};1314const FORKED_WORKSPACE_PREFIX = "wm-fork-";15const FORKED_BRANCH_PREFIX = "wm-fork";1617type PathType =18| "script"19| "flow"20| "app"21| "folder"22| "resource"23| "variable"24| "resourcetype"25| "schedule"26| "user"27| "group"28| "httptrigger"29| "websockettrigger"30| "kafkatrigger"31| "natstrigger"32| "postgrestrigger"33| "mqtttrigger"34| "sqstrigger"35| "gcptrigger"36| "emailtrigger";3738type SyncObject = {39path_type: PathType;40path: string | undefined;41parent_path: string | undefined;42commit_msg: string;43};4445let gpgFingerprint: string | undefined = undefined;4647export async function main(48items: SyncObject[],49// Compat, do not use in code, rely on `items` instead50path_type: PathType | undefined,51path: string | undefined,52parent_path: string | undefined,53commit_msg: string | undefined,54//55workspace_id: string,56repo_url_resource_path: string,57skip_secret: boolean = true,58use_individual_branch: boolean = false,59group_by_folder: boolean = false,60only_create_branch: boolean = false,61parent_workspace_id?: string,62) {6364if (path_type !== undefined && commit_msg !== undefined) {65items = [{66path_type,67path,68parent_path,69commit_msg,70}];71}72await inner(items, workspace_id, repo_url_resource_path, skip_secret, use_individual_branch, group_by_folder, only_create_branch, parent_workspace_id);73}7475async function inner(76items: SyncObject[],77workspace_id: string,78repo_url_resource_path: string,79skip_secret: boolean = true,80use_individual_branch: boolean = false,81group_by_folder: boolean = false,82only_create_branch: boolean = false,83parent_workspace_id?: string,84) {8586let safeDirectoryPath: string | undefined;87const repo_resource = await wmillclient.getResource(repo_url_resource_path);88const cwd = process.cwd();89process.env["HOME"] = ".";90if (!only_create_branch) {91for (const item of items) {92console.log(93`Syncing ${item.path_type} ${item.path ?? ""} with parent ${item.parent_path ?? ""}`94);95}96}9798if (repo_resource.is_github_app) {99const token = await get_gh_app_token();100const authRepoUrl = prependTokenToGitHubUrl(repo_resource.url, token);101repo_resource.url = authRepoUrl;102}103104const { repo_name, safeDirectoryPath: cloneSafeDirectoryPath, clonedBranchName } = await git_clone(cwd, repo_resource, use_individual_branch || workspace_id.startsWith(FORKED_WORKSPACE_PREFIX));105safeDirectoryPath = cloneSafeDirectoryPath;106107108// Since we don't modify the resource on the forked workspaces, we have to cosnider the case of109// a fork of a fork workspace. In that case, the original branch is not stored in the resource110// settings, but we need to infer it from the workspace id111112if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {113if (use_individual_branch) {114console.log("Cannot have `use_individual_branch` in a forked workspace, disabling option`");115use_individual_branch = false;116}117if (group_by_folder) {118console.log("Cannot have `group_by_folder` in a forked workspace, disabling option`");119group_by_folder = false;120}121}122123if (parent_workspace_id && parent_workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {124const parentBranch = get_fork_branch_name(parent_workspace_id, clonedBranchName);125console.log(`This workspace's parent is also a fork, moving to branch ${parentBranch} in case a new branch needs to be created with the appropriate root`);126await git_checkout_branch(127items,128parent_workspace_id,129use_individual_branch,130group_by_folder,131clonedBranchName132);133}134135await git_checkout_branch(136items,137workspace_id,138use_individual_branch,139group_by_folder,140clonedBranchName141);142143144const subfolder = repo_resource.folder ?? "";145const branch_or_default = repo_resource.branch ?? "<DEFAULT>";146console.log(147`Pushing to repository ${repo_name} in subfolder ${subfolder} on branch ${branch_or_default}`148);149150// If we want to just create the branch, we can skip pulling the changes.151if (!only_create_branch) {152await wmill_sync_pull(153items,154workspace_id,155skip_secret,156repo_url_resource_path,157use_individual_branch,158repo_resource.branch159);160}161try {162await git_push(items, repo_resource, only_create_branch);163} catch (e) {164throw e;165} finally {166await delete_pgp_keys();167// Cleanup: remove safe.directory config168if (safeDirectoryPath) {169try {170await sh_run(undefined, "git", "config", "--global", "--unset", "safe.directory", safeDirectoryPath);171} catch (e) {172console.log(`Warning: Could not unset safe.directory config: ${e}`);173}174}175}176console.log("Finished syncing");177process.chdir(`${cwd}`);178}179180181function get_fork_branch_name(w_id: string, originalBranch: string): string {182if (w_id.startsWith(FORKED_WORKSPACE_PREFIX)) {183return w_id.replace(FORKED_WORKSPACE_PREFIX, `${FORKED_BRANCH_PREFIX}/${originalBranch}/`);184}185return w_id;186}187188async function git_clone(189cwd: string,190repo_resource: any,191no_single_branch: boolean,192): Promise<{ repo_name: string; safeDirectoryPath: string; clonedBranchName: string }> {193// TODO: handle private SSH keys as well194let repo_url = repo_resource.url;195const subfolder = repo_resource.folder ?? "";196const branch = repo_resource.branch ?? "";197const repo_name = basename(repo_url, ".git");198const azureMatch = repo_url.match(/AZURE_DEVOPS_TOKEN\((?<url>.+)\)/);199if (azureMatch) {200console.log(201"Requires Azure DevOps service account access token, requesting..."202);203const azureResource = await wmillclient.getResource(azureMatch.groups.url);204const response = await fetch(205`https://login.microsoftonline.com/${azureResource.azureTenantId}/oauth2/token`,206{207method: "POST",208body: new URLSearchParams({209client_id: azureResource.azureClientId,210client_secret: azureResource.azureClientSecret,211grant_type: "client_credentials",212resource: "499b84ac-1321-427f-aa17-267ca6975798/.default",213}),214}215);216const { access_token } = await response.json();217repo_url = repo_url.replace(azureMatch[0], access_token);218}219const args = ["clone", "--quiet", "--depth", "1"];220if (no_single_branch) {221args.push("--no-single-branch"); // needed in case the asset branch already exists in the repo222}223if (subfolder !== "") {224args.push("--sparse");225}226if (branch !== "") {227args.push("--branch");228args.push(branch);229}230args.push(repo_url);231args.push(repo_name);232await sh_run(-1, "git", ...args);233try {234process.chdir(`${cwd}/${repo_name}`);235const safeDirectoryPath = process.cwd();236// Add safe.directory to handle dubious ownership in cloned repo237try {238await sh_run(undefined, "git", "config", "--global", "--add", "safe.directory", process.cwd());239} catch (e) {240console.log(`Warning: Could not add safe.directory config: ${e}`);241}242243if (subfolder !== "") {244await sh_run(undefined, "git", "sparse-checkout", "add", subfolder);245try {246process.chdir(`${cwd}/${repo_name}/${subfolder}`);247} catch (err) {248console.log(249`Error changing directory to '${cwd}/${repo_name}/${subfolder}'. Error was:\n${err}`250);251throw err;252}253}254const clonedBranchName = (await sh_run(undefined, "git", "rev-parse", "--abbrev-ref", "HEAD")).trim();255return { repo_name, safeDirectoryPath, clonedBranchName };256257} catch (err) {258console.log(259`Error changing directory to '${cwd}/${repo_name}'. Error was:\n${err}`260);261throw err;262}263}264async function git_checkout_branch(265items: SyncObject[],266workspace_id: string,267use_individual_branch: boolean,268group_by_folder: boolean,269originalBranchName: string270) {271let branchName;272if (workspace_id.startsWith(FORKED_WORKSPACE_PREFIX)) {273branchName = get_fork_branch_name(workspace_id, originalBranchName);274} else {275276if (!use_individual_branch277// If individual branch is true, we can assume items is of length 1, as debouncing is disabled for jobs with this flag278|| items[0].path_type === "user" || items[0].path_type === "group") {279return;280}281282// as mentioned above, it is safe to assume that items.len is 1283const [path, parent_path] = [items[0].path, items[0].parent_path];284branchName = group_by_folder285? `wm_deploy/${workspace_id}/${(path ?? parent_path)286?.split("/")287.slice(0, 2)288.join("__")}`289: `wm_deploy/${workspace_id}/${items[0].path_type}/${(290path ?? parent_path291)?.replaceAll("/", "__")}`;292}293294try {295await sh_run(undefined, "git", "checkout", branchName);296} catch (err) {297console.log(298`Error checking out branch ${branchName}. It is possible it doesn't exist yet, tentatively creating it... Error was:\n${err}`299);300try {301await sh_run(undefined, "git", "checkout", "-b", branchName);302await sh_run(303undefined,304"git",305"config",306"--add",307"--bool",308"push.autoSetupRemote",309"true"310);311} catch (err) {312console.log(313`Error checking out branch '${branchName}'. Error was:\n${err}`314);315throw err;316}317}318console.log(`Successfully switched to branch ${branchName}`);319}320321async function git_push(322items: SyncObject[],323repo_resource: any,324only_create_branch: boolean,325) {326let user_email = process.env["WM_EMAIL"] ?? "";327let user_name = process.env["WM_USERNAME"] ?? "";328329if (repo_resource.gpg_key) {330await set_gpg_signing_secret(repo_resource.gpg_key);331// Configure git with GPG key email for signing332await sh_run(333undefined,334"git",335"config",336"user.email",337repo_resource.gpg_key.email338);339await sh_run(undefined, "git", "config", "user.name", user_name);340} else {341await sh_run(undefined, "git", "config", "user.email", user_email);342await sh_run(undefined, "git", "config", "user.name", user_name);343}344if (only_create_branch) {345await sh_run(undefined, "git", "push", "--porcelain");346}347348let commit_description: string[] = [];349for (const { path, parent_path, commit_msg } of items) {350if (path !== undefined && path !== null && path !== "") {351try {352await sh_run(undefined, "git", "add", "wmill-lock.yaml", `${path}**`);353} catch (e) {354console.log(`Unable to stage files matching ${path}**, ${e}`);355}356}357if (parent_path !== undefined && parent_path !== null && parent_path !== "") {358try {359await sh_run(360undefined,361"git",362"add",363"wmill-lock.yaml",364`${parent_path}**`365);366} catch (e) {367console.log(`Unable to stage files matching ${parent_path}, ${e}`);368}369}370371commit_description.push(commit_msg);372}373374try {375await sh_run(undefined, "git", "diff", "--cached", "--quiet");376} catch {377// git diff returns exit-code = 1 when there's at least one staged changes378const commitArgs = ["git", "commit"];379380// Always use --author to set consistent authorship381commitArgs.push("--author", `"${user_name} <${user_email}>"`);382383const [header, description] = (commit_description.length == 1) ? [commit_description[0], ""] : [`[WM]: Deployed ${commit_description.length} objects`, commit_description.join("\n")];384385commitArgs.push(386"-m",387`"${header == undefined || header == "" ? "no commit msg" : header}"`,388"-m",389`"${description}"`390);391392await sh_run(undefined, ...commitArgs);393try {394await sh_run(undefined, "git", "push", "--porcelain");395} catch (e) {396console.log(`Could not push, trying to rebase first: ${e}`);397await sh_run(undefined, "git", "pull", "--rebase");398await sh_run(undefined, "git", "push", "--porcelain");399}400return;401}402403console.log("No changes detected, nothing to commit. Returning...");404}405async function sh_run(406secret_position: number | undefined,407cmd: string,408...args: string[]409) {410const nargs = secret_position != undefined ? args.slice() : args;411if (secret_position && secret_position < 0) {412secret_position = nargs.length - 1 + secret_position;413}414let secret: string | undefined = undefined;415if (secret_position != undefined) {416nargs[secret_position] = "***";417secret = args[secret_position];418}419420console.log(`Running '${cmd} ${nargs.join(" ")} ...'`);421const command = exec(`${cmd} ${args.join(" ")}`);422// new Deno.Command(cmd, {423// args: args,424// });425try {426const { stdout, stderr } = await command;427if (stdout.length > 0) {428console.log(stdout);429}430if (stderr.length > 0) {431console.log(stderr);432}433console.log("Command successfully executed");434return stdout;435} catch (error) {436let errorString = error.toString();437if (secret) {438errorString = errorString.replace(secret, "***");439}440const err = `SH command '${cmd} ${nargs.join(441" "442)}' returned with error ${errorString}`;443throw Error(err);444}445}446447function regexFromPath(path_type: PathType, path: string) {448if (path_type == "flow") {449return `${path}.flow/*`;450}451if (path_type == "app") {452return `${path}.app/*`;453} else if (path_type == "folder") {454return `${path}/folder.meta.*`;455} else if (path_type == "resourcetype") {456return `${path}.resource-type.*`;457} else if (path_type == "resource") {458return `${path}.resource.*`;459} else if (path_type == "variable") {460return `${path}.variable.*`;461} else if (path_type == "schedule") {462return `${path}.schedule.*`;463} else if (path_type == "user") {464return `${path}.user.*`;465} else if (path_type == "group") {466return `${path}.group.*`;467} else if (path_type == "httptrigger") {468return `${path}.http_trigger.*`;469} else if (path_type == "websockettrigger") {470return `${path}.websocket_trigger.*`;471} else if (path_type == "kafkatrigger") {472return `${path}.kafka_trigger.*`;473} else if (path_type == "natstrigger") {474return `${path}.nats_trigger.*`;475} else if (path_type == "postgrestrigger") {476return `${path}.postgres_trigger.*`;477} else if (path_type == "mqtttrigger") {478return `${path}.mqtt_trigger.*`;479} else if (path_type == "sqstrigger") {480return `${path}.sqs_trigger.*`;481} else if (path_type == "gcptrigger") {482return `${path}.gcp_trigger.*`;483} else if (path_type == "emailtrigger") {484return `${path}.email_trigger.*`;485} else {486return `${path}.*`;487}488}489490async function wmill_sync_pull(491items: SyncObject[],492workspace_id: string,493skip_secret: boolean,494repo_url_resource_path: string,495use_individual_branch: boolean,496original_branch?: string497) {498const includes = [];499for (const item of items) {500const { path_type, path, parent_path } = item;501if (path !== undefined && path !== null && path !== "") {502includes.push(regexFromPath(path_type, path));503}504if (parent_path !== undefined && parent_path !== null && parent_path !== "") {505includes.push(regexFromPath(path_type, parent_path));506}507}508509console.log("Pulling workspace into git repo");510511const args = [512"sync",513"pull",514"--token",515process.env["WM_TOKEN"] ?? "",516"--workspace",517workspace_id,518"--base-url",519process.env["BASE_URL"] + "/",520"--repository",521repo_url_resource_path,522"--yes",523skip_secret ? "--skip-secrets" : "",524];525526if (items.some(item => item.path_type === "schedule") && !use_individual_branch) {527args.push("--include-schedules");528}529530if (items.some(item => item.path_type === "group") && !use_individual_branch) {531args.push("--include-groups");532}533534if (items.some(item => item.path_type === "user") && !use_individual_branch) {535args.push("--include-users");536}537538if (items.some(item => item.path_type.includes("trigger")) && !use_individual_branch) {539args.push("--include-triggers");540}541// Only include settings when specifically deploying settings542if (items.some(item => item.path_type === "settings") && !use_individual_branch) {543args.push("--include-settings");544}545546// Only include key when specifically deploying keys547if (items.some(item => item.path_type === "key") && !use_individual_branch) {548args.push("--include-key");549}550551args.push("--extra-includes", includes.join(","));552553// If using individual branches, apply promotion settings from original branch554if (use_individual_branch && original_branch) {555console.log(`Individual branch deployment detected - using promotion settings from '${original_branch}'`);556args.push("--promotion", original_branch);557}558559await wmill_run(3, ...args);560}561562async function wmill_run(secret_position: number, ...cmd: string[]) {563cmd = cmd.filter((elt) => elt !== "");564const cmd2 = cmd.slice();565cmd2[secret_position] = "***";566console.log(`Running 'wmill ${cmd2.join(" ")} ...'`);567await wmill.parse(cmd);568console.log("Command successfully executed");569}570571// Function to set up GPG signing572async function set_gpg_signing_secret(gpg_key: GpgKey) {573try {574console.log("Setting GPG private key for git commits");575576const formattedGpgContent = gpg_key.private_key.replace(577/(-----BEGIN PGP PRIVATE KEY BLOCK-----)([\s\S]*?)(-----END PGP PRIVATE KEY BLOCK-----)/,578(_: string, header: string, body: string, footer: string) =>579header +580"\n" +581"\n" +582body.replace(/ ([^\s])/g, "\n$1").trim() +583"\n" +584footer585);586587const gpg_path = `/tmp/gpg`;588await sh_run(undefined, "mkdir", "-p", gpg_path);589await sh_run(undefined, "chmod", "700", gpg_path);590process.env.GNUPGHOME = gpg_path;591// process.env.GIT_TRACE = 1;592593try {594await sh_run(5951,596"bash",597"-c",598`cat <<EOF | gpg --batch --import \n${formattedGpgContent}\nEOF`599);600} catch (e) {601// Original error would contain sensitive data602throw new Error("Failed to import GPG key!");603}604605const listKeysOutput = await sh_run(606undefined,607"gpg",608"--list-secret-keys",609"--with-colons",610"--keyid-format=long"611);612613const keyInfoMatch = listKeysOutput.match(614/sec:[^:]*:[^:]*:[^:]*:([A-F0-9]+):.*\nfpr:::::::::([A-F0-9]{40}):/615);616617if (!keyInfoMatch) {618throw new Error("Failed to extract GPG Key ID and Fingerprint");619}620621const keyId = keyInfoMatch[1];622gpgFingerprint = keyInfoMatch[2];623624if (gpg_key.passphrase) {625// This is adummy command to unlock the key626// with passphrase to load it into agent627await sh_run(6281,629"bash",630"-c",631`echo "dummy" | gpg --batch --pinentry-mode loopback --passphrase '${gpg_key.passphrase}' --status-fd=2 -bsau ${keyId}`632);633}634635// Configure Git to use the extracted key636await sh_run(undefined, "git", "config", "user.signingkey", keyId);637await sh_run(undefined, "git", "config", "commit.gpgsign", "true");638console.log(`GPG signing configured with key ID: ${keyId} `);639} catch (e) {640console.error(`Failure while setting GPG key: ${e} `);641await delete_pgp_keys();642}643}644645async function delete_pgp_keys() {646console.log("deleting gpg keys");647if (gpgFingerprint) {648await sh_run(649undefined,650"gpg",651"--batch",652"--yes",653"--pinentry-mode",654"loopback",655"--delete-secret-key",656gpgFingerprint657);658await sh_run(659undefined,660"gpg",661"--batch",662"--yes",663"--delete-key",664"--pinentry-mode",665"loopback",666gpgFingerprint667);668}669}670671async function get_gh_app_token() {672const workspace = process.env["WM_WORKSPACE"];673const jobToken = process.env["WM_TOKEN"];674675const baseUrl =676process.env["BASE_INTERNAL_URL"] ??677process.env["BASE_URL"] ??678"http://localhost:8000";679680const url = `${baseUrl}/api/w/${workspace}/github_app/token`;681682const response = await fetch(url, {683method: "POST",684headers: {685"Content-Type": "application/json",686Authorization: `Bearer ${jobToken}`,687},688body: JSON.stringify({689job_token: jobToken,690}),691});692693if (!response.ok) {694throw new Error(`Error: ${response.statusText}`);695}696697const data = await response.json();698699return data.token;700}701702function prependTokenToGitHubUrl(gitHubUrl: string, installationToken: string) {703if (!gitHubUrl || !installationToken) {704throw new Error("Both GitHub URL and Installation Token are required.");705}706707try {708const url = new URL(gitHubUrl);709710// GitHub repository URL should be in the format: https://github.com/owner/repo.git711if (url.hostname !== "github.com") {712throw new Error(713"Invalid GitHub URL. Must be in the format 'https://github.com/owner/repo.git'."714);715}716717// Convert URL to include the installation token718return `https://x-access-token:${installationToken}@github.com${url.pathname}`;719} catch (e) {720const error = e as Error;721throw new Error(`Invalid URL: ${error.message}`);722}723}724