git-webhooks/webhooks.js

99 lines
3.1 KiB
JavaScript
Raw Normal View History

2024-08-01 18:19:05 +10:00
/* jshint esversion: 8 */
import { promisify } from 'util'
import child_process from 'child_process'
const exec = promisify(child_process.exec) // run child_process.exec as a Promise/async
import { createHmac } from 'crypto'
import express from 'express'
const port = process.env.PORT
import { SMTPClient } from 'emailjs';
// express
const app = express()
app.use(express.json())
function sendEmail(msg, trigger) {
const client = new SMTPClient({
user: process.env.EMAIL_USER,
password: process.env.EMAIL_PASSWORD,
host: process.env.SMTP_DOMAIN,
ssl: true,
});
// send the message and get a callback with an error or details of the message that was sent
client.send(
{
text: `Git webhook for ${trigger} has triggered a "git pull" event with the following result:\n\n${msg}`,
from: `Webhook Alerts<${process.env.EMAIL_SEND_ADDRESS}>`,
to: process.env.EMAIL_RECEIVE_ADDRESS,
subject: `Git service triggered a pull for ${trigger}`,
},
(err, message) => {
console.log(err || message);
}
);
}
// function to run git pull
async function gitPull(local_repo, res) {
try {
const { stdout, stderr } = await exec(`cd ${local_repo} && git pull`);
let msg = stderr ? stderr : stdout // message is the error message if there is one, else the stdout
sendEmail(msg, process.env.APP_PATH)
res.status(200).send('Ok')
} catch (err) {
console.error(err)
res.status(500).send('server error - sorry about that')
}
}
// we are *recieving* POST requests here
app.post(`/${process.env.APP_PATH}`, (req, res) => {
const hmac = createHmac('sha256', process.env.SECRET)
const local_repo = process.env.LOCAL_REPO
hmac.update(JSON.stringify(req.body))
// check has signature header and the decrypted signature matches
if (req.get('X-Hub-Signature-256')) {
if ( `sha256=${hmac.digest('hex').toString()}` === req.get('X-Hub-Signature-256') ){
if (req.body.ref === 'refs/heads/main') {
gitPull(local_repo, res)
} else {
console.log('Ignoring push to non-default branch')
res.status(200).send('Ignoring push to non-default branch')
}
} else {
console.error('signature header received but hash did not match')
res.status(403).send('Signature is missing or does not match')
}
} else {
console.error('Signature missing')
res.status(403).send('Signature is missing or does not match')
}
})
// everything else should 404
app.use(function (req, res) {
res.status(404).send('Nothing here')
})
app.listen(port, () => {
const secrets = {
"PORT": process.env.PORT,
"SECRET": process.env.SECRET,
"EMAIL_USER": process.env.EMAIL_USER,
"EMAIL_PASSWORD": process.env.EMAIL_PASSWORD,
"SMTP_DOMAIN": process.env.SMTP_DOMAIN,
"EMAIL_SEND_ADDRESS": process.env.EMAIL_SEND_ADDRESS,
"EMAIL_RECEIVE_ADDRESS": process.env.EMAIL_RECEIVE_ADDRESS,
"APP_PATH": process.env.APP_PATH,
"LOCAL_REPO": process.env.LOCAL_REPO
}
for (let key in secrets) {
if (secrets[key] === undefined || null) {
throw Error(`Missing ${key} from environment values`)
}
}
console.log(`Webhooks app listening on port ${port}`)
})