A Github Action for verifying changes done to the GoCD config repository.
On every check-in or a pull request, GoCD mergeable action verifies whether modifications done to the GoCD configuration files are valid or not by performing the GoCD preflight check on the specified config repository.
See action.yml For comprehensive list of options.
Checkout GoCD mergeable YAML Example master branch and pull request for live examples.
Note: Do not specify GOCD_ADMIN_ACCESS_TOKEN as a plain text value.
Use Github Secrets for specifying the secret access token.
on: [push]
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/gocd-mergeable@v1.1.0
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'on: [pull_request]
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/gocd-mergeable@v1.1.0
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'GoCD's pipeline as code allows the pipeline configurations to be defined where the source is (same git repository). But we often don't make changes to the pipeline configurations and thus can avoid GoCD mergeable bot check by whitelisting the config files.
on:
push:
paths:
- '.gocd/*.gocd.yml'
- '.gocd/*.gocd.yaml'
jobs:
verify_config_repository:
runs-on: ubuntu-latest
name: verify config repository changes
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Verify Config Merge
uses: GaneshSPatil/gocd-mergeable@v1.1.0
with:
GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'- Following is an example of successful GoCD mergeable run, when the config repository configurations are valid and can be successfully merged with GoCD.
- Following is an example of failed GoCD mergeable run, when the config repository configurations has some errors (and/or is invalid).
YAML and JSON plugins do not execute user code because they only parse yaml and json files with pipeline definitions. However, GoCD groovy DSL plugin will evaluate untrusted code on the GoCD server, so beware of the risk that involves:
Enabling GoCD mergeable Github Action for pull requests on a groovy config public repository can allow a malicious Github user to do significant damage by running a script as part of the pull request that steal keys and secrets, remove files and directories, install malware, etc on the GoCD Server.
It is recommended to configure GoCD mergeable Github Action to be executed only on trusted check-ins.
Evaluating the groovy code in a sandbox is currently a work in progress for the groovy plugin.
GoCD mergeable is an open source project, under the Apache License, Version 2.0.
Contributions are welcome! See Contributor's Guide