Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support signed commits for resource 'github_repository_file' #2102

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: support signed commits for resource 'github_repository_file' #2102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
94ce4b0
feat: support signed commits for resource 'github_repository_file'
wparr-circle Jan 15, 2024
266af93
Merge branch 'main' into gpg-sign
kfcampbell Jan 22, 2024
86e55f3
Merge branch 'main' into gpg-sign
kfcampbell Feb 5, 2024
6569501
Merge remote-tracking branch 'origin/main' into gpg-sign
wparr-circle Aug 12, 2024
fd5431f
Merge branch 'main' into gpg-sign
wparr-circle Jan 22, 2025
67a53d5
style: apply gofmt -s to resource_github_repository_file.go
wparr-circle Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
278 changes: 262 additions & 16 deletions github/resource_github_repository_file.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,15 @@ package github
import (
"context"
"errors"
"io"
"log"
"net/http"
"net/url"
"strings"

"fmt"

"github.com/ProtonMail/gopenpgp/v2/crypto"
"github.com/google/go-github/v66/github"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)
Expand Down Expand Up @@ -121,6 +123,24 @@ func resourceGithubRepositoryFile() *schema.Resource {
Description: "Enable overwriting existing files, defaults to \"false\"",
Default: false,
},
"use_contents_api": {
Type: schema.TypeBool,
Optional: true,
Description: "Enable to modify github files with the github contents API, rather than git.",
Default: true,
},
"pgp_signing_key": {
Type: schema.TypeString,
Optional: true,
Description: "PGP signing key used to sign commits.",
Sensitive: true,
},
"pgp_signing_key_passphrase": {
Type: schema.TypeString,
Optional: true,
Description: "Passphrase to unlock PGP signing key used to sign commits.",
Sensitive: true,
},
"autocreate_branch": {
Type: schema.TypeBool,
Optional: true,
Expand Down Expand Up @@ -148,6 +168,56 @@ func resourceGithubRepositoryFile() *schema.Resource {
}
}

func resourceGithubRepositoryFileCreateCommitOptions(d *schema.ResourceData) (*github.CreateCommitOptions, error) {
opts := &github.CreateCommitOptions{}

pgpSigningKey, hasPgpSigningKey := d.GetOk("pgp_signing_key")

if hasPgpSigningKey {
privateKeyObj, err := crypto.NewKeyFromArmored(pgpSigningKey.(string))
if err != nil {
return nil, err
}

isLocked, err := privateKeyObj.IsLocked()
if err != nil {
return nil, err
}
if isLocked {
pgpSigningKeyPassphrase, hasPgpSigningKeyPassphrase := d.GetOk("pgp_signing_key_passphrase")
if hasPgpSigningKeyPassphrase {
privateKeyObj, err = privateKeyObj.Unlock([]byte(pgpSigningKeyPassphrase.(string)))
if err != nil {
return nil, err
}
} else {
return nil, fmt.Errorf("cannot unlock pgp_signing_key, configure pgp_signing_key_passphrase")
}
}

signingKeyRing, err := crypto.NewKeyRing(privateKeyObj)
if err != nil {
return nil, err
}

opts.Signer = github.MessageSignerFunc(func(w io.Writer, r io.Reader) error {
signature, err := signingKeyRing.SignDetachedStream(r)
if err != nil {
return err
}
armoredSignature, err := signature.GetArmored()
if err != nil {
return err
}

_, err = w.Write([]byte(armoredSignature))
return err
})
}

return opts, nil
}

func resourceGithubRepositoryFileOptions(d *schema.ResourceData) (*github.RepositoryContentFileOptions, error) {
opts := &github.RepositoryContentFileOptions{
Content: []byte(*github.String(d.Get("content").(string))),
Expand Down Expand Up @@ -265,14 +335,65 @@ func resourceGithubRepositoryFileCreate(d *schema.ResourceData, meta interface{}
}

// Create a new or overwritten file
create, _, err := client.Repositories.CreateFile(ctx, owner, repo, file, opts)
if err != nil {
return err
}
modifyWithApi := d.Get("use_contents_api")
if modifyWithApi.(bool) {
create, _, err := client.Repositories.CreateFile(ctx, owner, repo, file, opts)
if err != nil {
return err
}
d.Set("commit_sha", create.Commit.GetSHA())
} else {
commitOpts, err := resourceGithubRepositoryFileCreateCommitOptions(d)
if err != nil {
return err
}

d.SetId(fmt.Sprintf("%s/%s", repo, file))
if err = d.Set("commit_sha", create.Commit.GetSHA()); err != nil {
return err
ref, _, err := client.Git.GetRef(ctx, owner, repo, "refs/heads/"+*opts.Branch)
if err != nil {
return err
}

tree, _, err := client.Git.CreateTree(
ctx, owner, repo, *ref.Object.SHA, []*github.TreeEntry{
{
Path: github.String(d.Get("file").(string)),
Type: github.String("blob"),
Content: github.String(d.Get("content").(string)),
Mode: github.String("100644"),
},
},
)
if err != nil {
return err
}

parent, _, err := client.Repositories.GetCommit(ctx, owner, repo, *ref.Object.SHA, nil)
if err != nil {
return err
}
// This is not always populated, but is needed.
parent.Commit.SHA = parent.SHA

commit := github.Commit{
Author: opts.Author,
Committer: opts.Committer,
Message: opts.Message,
Tree: tree,
Parents: []*github.Commit{
parent.Commit,
},
}
newCommit, _, err := client.Git.CreateCommit(ctx, owner, repo, &commit, commitOpts)
if err != nil {
return err
}

ref.Object.SHA = newCommit.SHA
_, _, err = client.Git.UpdateRef(ctx, owner, repo, ref, false)
if err != nil {
return err
}
d.Set("commit_sha", newCommit.SHA)
}

return resourceGithubRepositoryFileRead(d, meta)
Expand Down Expand Up @@ -437,13 +558,65 @@ func resourceGithubRepositoryFileUpdate(d *schema.ResourceData, meta interface{}
opts.Message = &m
}

create, _, err := client.Repositories.CreateFile(ctx, owner, repo, file, opts)
if err != nil {
return err
}
modifyWithApi := d.Get("use_contents_api")
if modifyWithApi.(bool) {
create, _, err := client.Repositories.CreateFile(ctx, owner, repo, file, opts)
if err != nil {
return err
}
d.Set("commit_sha", create.GetSHA())
} else {
commitOpts, err := resourceGithubRepositoryFileCreateCommitOptions(d)
if err != nil {
return err
}

if err = d.Set("commit_sha", create.GetSHA()); err != nil {
return err
ref, _, err := client.Git.GetRef(ctx, owner, repo, "refs/heads/"+*opts.Branch)
if err != nil {
return err
}

tree, _, err := client.Git.CreateTree(
ctx, owner, repo, *ref.Object.SHA, []*github.TreeEntry{
{
Path: github.String(d.Get("file").(string)),
Type: github.String("blob"),
Content: github.String(d.Get("content").(string)),
Mode: github.String("100644"),
},
},
)
if err != nil {
return err
}

parent, _, err := client.Repositories.GetCommit(ctx, owner, repo, *ref.Object.SHA, nil)
if err != nil {
return err
}
// This is not always populated, but is needed.
parent.Commit.SHA = parent.SHA

commit := github.Commit{
Author: opts.Author,
Committer: opts.Committer,
Message: opts.Message,
Tree: tree,
Parents: []*github.Commit{
parent.Commit,
},
}
newCommit, _, err := client.Git.CreateCommit(ctx, owner, repo, &commit, commitOpts)
if err != nil {
return err
}

ref.Object.SHA = newCommit.SHA
_, _, err = client.Git.UpdateRef(ctx, owner, repo, ref, false)
if err != nil {
return err
}
d.Set("commit_sha", newCommit.SHA)
}

return resourceGithubRepositoryFileRead(d, meta)
Expand Down Expand Up @@ -503,9 +676,82 @@ func resourceGithubRepositoryFileDelete(d *schema.ResourceData, meta interface{}
opts.Branch = &branch
}

_, _, err := client.Repositories.DeleteFile(ctx, owner, repo, file, opts)
if err != nil {
return nil
modifyWithApi := d.Get("use_contents_api")
if modifyWithApi.(bool) {
_, _, err := client.Repositories.DeleteFile(ctx, owner, repo, file, opts)
if err != nil {
return nil
}
} else {
commitOpts, err := resourceGithubRepositoryFileCreateCommitOptions(d)
if err != nil {
return err
}

ref, _, err := client.Git.GetRef(ctx, owner, repo, "refs/heads/"+*opts.Branch)
if err != nil {
return err
}

tree, _, err := client.Git.CreateTree(
ctx, owner, repo, *ref.Object.SHA, []*github.TreeEntry{
{
Path: github.String(d.Get("file").(string)),
Type: github.String("blob"),
Mode: github.String("100644"),
SHA: nil,
},
},
)
if err != nil {
return err
}

parent, _, err := client.Repositories.GetCommit(ctx, owner, repo, *ref.Object.SHA, nil)
if err != nil {
return err
}
// This is not always populated, but is needed.
parent.Commit.SHA = parent.SHA

commitAuthor, hasCommitAuthor := d.GetOk("commit_author")
commitEmail, hasCommitEmail := d.GetOk("commit_email")

if hasCommitAuthor && !hasCommitEmail {
return fmt.Errorf("cannot set commit_author without setting commit_email")
}

if hasCommitEmail && !hasCommitAuthor {
return fmt.Errorf("cannot set commit_email without setting commit_author")
}

if hasCommitAuthor && hasCommitEmail {
name := commitAuthor.(string)
mail := commitEmail.(string)
opts.Author = &github.CommitAuthor{Name: &name, Email: &mail}
opts.Committer = &github.CommitAuthor{Name: &name, Email: &mail}
}

commit := github.Commit{
Author: opts.Author,
Committer: opts.Committer,
Message: opts.Message,
Tree: tree,
Parents: []*github.Commit{
parent.Commit,
},
}
newCommit, _, err := client.Git.CreateCommit(ctx, owner, repo, &commit, commitOpts)
if err != nil {
return err
}

ref.Object.SHA = newCommit.SHA
_, _, err = client.Git.UpdateRef(ctx, owner, repo, ref, false)
if err != nil {
return err
}
d.Set("commit_sha", newCommit.SHA)
}

return nil
Expand Down
Loading
Loading