shipit-engine 0.35.0 → 0.36.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5cbfd599963d1633705290c92ef5c7171619c1350a3a431546061e3521c78a3a
-  data.tar.gz: a588c0fc5bda460eeb99121aaa06d83f2177eaf208f28253bb672eff9ff0c79c
+  metadata.gz: 17cf66ed4359907e35e37a0ac00bcb05884c24148386bf8712d8b73c3cc33708
+  data.tar.gz: b21d35454c554c7faccad5236333cefc3270434617e4bd192372c0a8baa66ac1
 SHA512:
-  metadata.gz: 0bf7ec4d0a2a7f7e3192bda2e26252677217bf9bbc2f877c27c0b5aa66b9862fbb49fce0737239bb3a537831908deacc7d7e06a35ca7d343d5b9067b5aa98d98
-  data.tar.gz: 8dfd2d78e9ab13f6c04fb95a661979512d0721f983f94aa77b5eba9202609af9ea043e6b382f5cdfc6856928aba755ae91ab0fd79e566e6f224be11b53f2a700
+  metadata.gz: 1f8e6ba6aaaa5eaa4630cfb52a1445e416e4cb6566550c4a5e2ec447065b2d342c52a728b370552a8b7a2a7df8061c30b0d4987d637729d533fd1bfd907a074a
+  data.tar.gz: 94abc1c12513349c85d4d54c4668865f21a42bf055d630fca667fd636dd7119b42f31c11f5c2182f2412ed76601adecce38b096a1add9e978dd83279b600d7fb

data/README.md

@@ -134,6 +134,19 @@ Lastly, if you override the `app_name` configuration in your Shipit deployment,
 
 * * *
 
+<h3 id="respecting-bare-files">Respecting bare <code>shipit.yml</code> files</h3>
+
+Shipit will, by default, respect the "bare" <code>shipit.yml</code> file as a fallback option if no more specifically-named file exists (such as <code>shipit.staging.yml</code>).
+
+You can configure this behavior via the attribute <code>Shipit.respect_bare_shipit_file</code>.
+
+- The value <code>false</code> will disable this behavior and instead cause Shipit to emit an error upon deploy if Shipit cannot find a more specifically-named file.
+- Setting this attribute to any other value (**including <code>nil</code>**), or not setting this attribute, will cause Shipit to use the default behavior of respecting bare <code>shipit.yml</code> files.
+
+You can determine if Shipit is configured to respect bare files using <code>Shipit.respect_bare_shipit_file?</code>.
+
+* * *
+
 <h3 id="installing-dependencies">Installing dependencies</h3>
 
 The **<code>dependencies</code>** step allows you to install all the packages your deploy script needs.
@@ -390,7 +403,7 @@ machine:
 
 <h3 id="ci">CI</h3>
 
-**<code>ci.require</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) you want Shipit to disallow deploys if any of them is missing on the commit being deployed.
+**<code>ci.require</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) you want Shipit to disallow deploys if any of them is missing on the commit being deployed.
 
 For example:
 ```yml
@@ -399,7 +412,7 @@ ci:
     - ci/circleci
 ```
 
-**<code>ci.hide</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) you want Shipit to ignore.
+**<code>ci.hide</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) you want Shipit to ignore.
 
 For example:
 ```yml
@@ -408,7 +421,7 @@ ci:
     - ci/circleci
 ```
 
-**<code>ci.allow_failures</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) you want to be visible but not to required for deploy.
+**<code>ci.allow_failures</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) you want to be visible but not to required for deploy.
 
 For example:
 ```yml
@@ -417,7 +430,7 @@ ci:
     - ci/circleci
 ```
 
-**<code>ci.blocking</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) you want to disallow deploys if any of them is missing or failing on any of the commits being deployed.
+**<code>ci.blocking</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) you want to disallow deploys if any of them is missing or failing on any of the commits being deployed.
 
 For example:
 ```yml
@@ -440,7 +453,7 @@ merge:
   revalidate_after: 12m30s
 ```
 
-**<code>merge.require</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) that you want Shipit to consider as failing if they aren't present on the pull request. Defaults to `ci.require` if present, or empty otherwise.
+**<code>merge.require</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) that you want Shipit to consider as failing if they aren't present on the pull request. Defaults to `ci.require` if present, or empty otherwise.
 
 For example:
 ```yml
@@ -449,7 +462,7 @@ merge:
     - continuous-integration/travis-ci/push
 ```
 
-**<code>merge.ignore</code>** contains an array of the [statuses context](https://developer.github.com/v3/repos/statuses/) that you want Shipit not to consider when merging pull requests. Defaults to the union of `ci.allow_failures` and `ci.hide` if any is present or empty otherwise.
+**<code>merge.ignore</code>** contains an array of the [statuses context](https://docs.github.com/en/rest/reference/commits#commit-statuses) that you want Shipit not to consider when merging pull requests. Defaults to the union of `ci.allow_failures` and `ci.hide` if any is present or empty otherwise.
 
 For example:
 ```yml
@@ -458,7 +471,7 @@ merge:
     - codeclimate
 ```
 
-**<code>merge.method</code>** the [merge method](https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button) to use for this stack. If it's not set the default merge method will be used. Can be either `merge`, `squash` or `rebase`.
+**<code>merge.method</code>** the [merge method](https://docs.github.com/en/rest/reference/pulls#merge-a-pull-request--parameters) to use for this stack. If it's not set the default merge method will be used. Can be either `merge`, `squash` or `rebase`.
 
 For example:
 ```yml

data/app/controllers/concerns/shipit/authentication.rb

@@ -17,7 +17,11 @@ module Shipit
     private
 
     def force_github_authentication
-      if Shipit.authentication_disabled? || current_user.logged_in?
+      if current_user.logged_in? && current_user.requires_fresh_login?
+        Rails.logger.warn("User #{current_user.id} requires a fresh login, logging out...")
+        reset_session
+        redirect_to(Shipit::Engine.routes.url_helpers.github_authentication_path(origin: request.original_url))
+      elsif Shipit.authentication_disabled? || current_user.logged_in?
         unless current_user.authorized?
           team_handles = Shipit.github_teams.map(&:handle)
           team_list = team_handles.to_sentence(two_words_connector: ' or ', last_word_connector: ', or ')

data/app/controllers/shipit/api/base_controller.rb

@@ -28,6 +28,18 @@ module Shipit
 
       private
 
+      module BasicAuth
+        # Workaround for https://github.com/rails/rails/pull/44610
+        extend ActionController::HttpAuthentication::Basic
+        extend self
+
+        private
+
+        def has_basic_credentials?(request)
+          request.authorization.present? && (auth_scheme(request).downcase == "basic")
+        end
+      end
+
       def namespace_for_serializer
         nil
       end
@@ -36,7 +48,7 @@ module Shipit
         @current_api_client = if Shipit.disable_api_authentication
           UnlimitedApiClient.new
         else
-          authenticate_with_http_basic do |*parts|
+          BasicAuth.authenticate(request) do |*parts|
             token = parts.select(&:present?).join('--')
             ApiClient.authenticate(token)
           end

data/app/controllers/shipit/api/rollbacks_controller.rb

@@ -21,7 +21,7 @@ module Shipit
           param_error!(:force, "Can't rollback, deploy in progress")
         elsif stack.active_task?
           active_task = stack.active_task
-          active_task.abort!(aborted_by: current_user, rollback_once_aborted_to: deploy)
+          active_task.abort!(aborted_by: current_user, rollback_once_aborted_to: deploy, rollback_once_aborted: true)
           response = active_task
         else
           response = deploy.trigger_rollback(current_user, env: deploy_env, force: params.force, lock: params.lock)

data/app/controllers/shipit/api/stacks_controller.rb

@@ -27,7 +27,7 @@ module Shipit
         requires :repo_name, String
         accepts :environment, String
         accepts :branch, String
-        accepts :deploy_url, String
+        accepts :deploy_url, String, allow_nil: true
         accepts :ignore_ci, Boolean
         accepts :merge_queue_enabled, Boolean
         accepts :continuous_deployment, Boolean
@@ -40,8 +40,9 @@ module Shipit
       end
 
       params do
+        accepts :environment, String
         accepts :branch, String
-        accepts :deploy_url, String
+        accepts :deploy_url, String, allow_nil: true
         accepts :ignore_ci, Boolean
         accepts :merge_queue_enabled, Boolean
         accepts :continuous_deployment, Boolean
@@ -60,6 +61,11 @@ module Shipit
         head(:accepted)
       end
 
+      def refresh
+        GithubSyncJob.perform_later(stack_id: stack.id)
+        render_resource(stack, status: :accepted)
+      end
+
       private
 
       def create_params

data/app/controllers/shipit/api/tasks_controller.rb

@@ -3,14 +3,14 @@ module Shipit
   module Api
     class TasksController < BaseController
       require_permission :read, :stack
-      require_permission :deploy, :stack, only: :trigger
+      require_permission :deploy, :stack, only: %i(trigger abort)
 
       def index
         render_resources(stack.tasks)
       end
 
       def show
-        render_resource(stack.tasks.find(params[:id]))
+        render_resource(task)
       end
 
       params do
@@ -23,6 +23,23 @@ module Shipit
           message: 'A task is already running.',
         })
       end
+
+      def abort
+        if task.active?
+          task.abort!(aborted_by: current_user)
+          head(:accepted)
+        else
+          render(status: :method_not_allowed, json: {
+            message: "This task is not currently running.",
+          })
+        end
+      end
+
+      private
+
+      def task
+        stack.tasks.find(params[:id])
+      end
     end
   end
 end

data/app/controllers/shipit/rollbacks_controller.rb

@@ -5,7 +5,11 @@ module Shipit
     before_action :load_deploy
 
     def create
-      @rollback = @deploy.trigger_rollback(current_user, env: rollback_params[:env], force: params[:force].present?)
+      @rollback = @deploy.trigger_rollback(
+        current_user,
+        env: rollback_params[:env]&.to_unsafe_hash,
+        force: params[:force].present?,
+      )
       redirect_to(stack_deploy_path(@stack, @rollback))
     rescue Task::ConcurrentTaskRunning
       redirect_to(rollback_stack_deploy_path(@stack, @deploy))

data/app/helpers/shipit/stacks_helper.rb

@@ -36,6 +36,17 @@ module Shipit
       link_to(t("deploy_button.caption.#{deploy_state}"), url, class: classes, data: data)
     end
 
+    def rollback_button(deploy)
+      if deploy.stack.active_task?
+        link_to('Deploy in progress...', '#', class: 'btn disabled deploy-action')
+      else
+        url = rollback_stack_deploy_path(deploy.stack, deploy)
+        classes = %w(btn btn--delete deploy-action rollback-action)
+
+        link_to('Rollback to this deploy...', url, class: classes)
+      end
+    end
+
     def github_change_url(commit)
       if commit.pull_request?
         github_pull_request_url(commit)

data/app/models/concerns/shipit/deferred_touch.rb

@@ -49,9 +49,9 @@ module Shipit
       end
 
       def fetch_members
-        Shipit.redis.multi do
-          Shipit.redis.sunionstore(TMP_KEY, SET_KEY)
-          Shipit.redis.del(SET_KEY)
+        Shipit.redis.multi do |transaction|
+          transaction.sunionstore(TMP_KEY, SET_KEY)
+          transaction.del(SET_KEY)
         end
 
         yield Shipit.redis.smembers(TMP_KEY).map { |r| r.split('|') }

data/app/models/shipit/anonymous_user.rb

@@ -31,6 +31,10 @@ module Shipit
       false
     end
 
+    def requires_fresh_login?
+      false
+    end
+
     def authorized?
       Shipit.authentication_disabled?
     end

data/app/models/shipit/api_client.rb

@@ -8,7 +8,7 @@ module Shipit
 
     validates :creator, :name, presence: true
 
-    serialize :permissions, Array
+    serialize :permissions, Shipit.serialized_column(:permissions, type: Array)
     PERMISSIONS = %w(
       read:stack
       write:stack

data/app/models/shipit/commit_checks.rb

@@ -44,9 +44,9 @@ module Shipit
     end
 
     def write(output)
-      Shipit.redis.pipelined do
-        Shipit.redis.append(key('output'), output)
-        Shipit.redis.expire(key('output'), OUTPUT_TTL)
+      Shipit.redis.pipelined do |pipeline|
+        pipeline.append(key('output'), output)
+        pipeline.expire(key('output'), OUTPUT_TTL)
       end
     end
 

data/app/models/shipit/delivery.rb

@@ -9,7 +9,7 @@ module Shipit
     validates :url, presence: true, url: { no_local: true, allow_blank: true }
     validates :content_type, presence: true
 
-    serialize :response_headers, JSON
+    serialize :response_headers, SafeJSON
 
     after_commit :purge_old_deliveries, on: :create
 

data/app/models/shipit/deploy.rb

@@ -128,6 +128,7 @@ module Shipit
       lock_reason = "A rollback for #{until_commit.sha} has been triggered. " \
         "Please make sure the reason for the rollback has been addressed before deploying again."
       stack.update!(lock_reason: lock_reason, lock_author_id: user_id)
+      stack.emit_lock_hooks
       rollback
     end
 

data/app/models/shipit/deploy_spec/file_system.rb

@@ -91,10 +91,30 @@ module Shipit
       end
 
       def load_config
-        read_config(file("#{app_name}.#{@env}.yml", root: true)) ||
-          read_config(file("#{app_name}.yml", root: true)) ||
-          read_config(file("shipit.#{@env}.yml", root: true)) ||
-          read_config(file('shipit.yml', root: true))
+        return if config_file_path.nil?
+
+        if !Shipit.respect_bare_shipit_file? && config_file_path.to_s.end_with?(*bare_shipit_filenames)
+          return { 'deploy' => { 'pre' => [shipit_not_obeying_bare_file_echo_command, 'exit 1'] } }
+        end
+
+        read_config(config_file_path)
+      end
+
+      def shipit_file_names_in_priority_order
+        ["#{app_name}.#{@env}.yml", "#{app_name}.yml", "shipit.#{@env}.yml", "shipit.yml"].uniq
+      end
+
+      def bare_shipit_filenames
+        ["#{app_name}.yml", "shipit.yml"].uniq
+      end
+
+      def config_file_path
+        shipit_file_names_in_priority_order.each do |filename|
+          path = file(filename, root: true)
+          return path if path.exist?
+        end
+
+        nil
       end
 
       def app_name
@@ -104,6 +124,14 @@ module Shipit
       def read_config(path)
         SafeYAML.load(path.read) if path.exist?
       end
+
+      def shipit_not_obeying_bare_file_echo_command
+        <<~EOM
+          echo \"\e[1;31mShipit is configured to ignore the bare '#{app_name}.yml' file.
+          Please rename this file to more specifically include the environment name.
+          Deployments will fail until a valid '#{app_name}.#{@env}.yml' file is found.\e[0m\"
+        EOM
+      end
     end
   end
 end

data/app/models/shipit/pull_request.rb

@@ -11,7 +11,7 @@ module Shipit
     has_many :pull_request_assignments
     has_many :assignees, class_name: :User, through: :pull_request_assignments, source: :user
 
-    serialize :labels, Array
+    serialize :labels, Shipit.serialized_column(:labels, type: Array)
 
     after_create_commit :emit_create_hooks
     after_update_commit :emit_update_hooks

data/app/models/shipit/stack.rb

@@ -608,6 +608,16 @@ module Shipit
       Shipit.deployment_checks.call(self)
     end
 
+    def emit_lock_hooks
+      return unless previous_changes.include?('lock_reason')
+
+      lock_details = if previous_changes['lock_reason'].last.blank?
+        { from: previous_changes['locked_since'].first, until: Time.zone.now }
+      end
+
+      Hook.emit(:lock, self, locked: locked?, lock_details: lock_details, stack: self)
+    end
+
     private
 
     def clear_cache
@@ -641,16 +651,6 @@ module Shipit
       end
     end
 
-    def emit_lock_hooks
-      return unless previous_changes.include?('lock_reason')
-
-      lock_details = if previous_changes['lock_reason'].last.blank?
-        { from: previous_changes['locked_since'].first, until: Time.zone.now }
-      end
-
-      Hook.emit(:lock, self, locked: locked?, lock_details: lock_details, stack: self)
-    end
-
     def emit_added_hooks
       Hook.emit(:stack, self, action: :added, stack: self)
     end

data/app/models/shipit/task.rb

@@ -27,8 +27,35 @@ module Shipit
 
     deferred_touch stack: :updated_at
 
+    module EnvHash
+      class << self
+        def dump(hash)
+          raise TypeError, "Task#env should be a Hash[String => String]" unless hash.is_a?(Hash)
+          hash = hash.to_h.stringify_keys
+          hash.transform_values! do |value|
+            case value
+            when String, Symbol, Numeric
+              value.to_s
+            else
+              raise TypeError, "Task#env should be a Hash[String => String]" unless hash.is_a?(Hash)
+            end
+          end
+
+          hash unless hash.empty?
+        end
+
+        def load(hash)
+          hash&.to_h || {} # cast back to a real hash
+        end
+
+        def new
+          nil
+        end
+      end
+    end
+
     serialize :definition, TaskDefinition
-    serialize :env, Hash
+    serialize :env, Shipit.serialized_column(:env, coder: EnvHash)
 
     scope :success, -> { where(status: 'success') }
     scope :completed, -> { where(status: COMPLETED_STATUSES) }
@@ -313,9 +340,9 @@ module Shipit
     end
 
     def request_abort
-      Shipit.redis.pipelined do
-        Shipit.redis.incr(abort_key)
-        Shipit.redis.expire(abort_key, 1.month.to_i)
+      Shipit.redis.pipelined do |pipeline|
+        pipeline.incr(abort_key)
+        pipeline.expire(abort_key, 1.month.to_i)
       end
     end
 

data/app/models/shipit/user.rb

@@ -3,6 +3,8 @@ module Shipit
   class User < Record
     DEFAULT_AVATAR = URI.parse('https://avatars.githubusercontent.com/u/583231?')
 
+    self.ignored_columns = %w(encrypted_github_access_token_iv)
+
     has_many :memberships
     has_many :teams, through: :memberships
     has_many :authored_commits, class_name: :Commit, foreign_key: :author_id, inverse_of: :author
@@ -11,7 +13,10 @@ module Shipit
 
     validates :name, presence: true
 
-    attr_encrypted :github_access_token, key: Shipit.user_access_tokens_key
+    encrypts :encrypted_github_access_token
+    alias_attribute :github_access_token, :encrypted_github_access_token
+
+    after_find :discard_outdated_credentials!
 
     def self.find_or_create_by_login!(login)
       find_or_create_by!(login: login) do |user|
@@ -56,14 +61,6 @@ module Shipit
       end
     end
 
-    alias_method :original_github_access_token, :github_access_token
-    def github_access_token
-      original_github_access_token
-    rescue OpenSSL::Cipher::CipherError
-      update_columns(encrypted_github_access_token: nil, encrypted_github_access_token_iv: nil)
-      nil
-    end
-
     def github_api
       return Shipit.github.api unless github_access_token
 
@@ -123,8 +120,25 @@ module Shipit
       DEFAULT_AVATAR.dup
     end
 
+    # https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats
+    GITHUB_TOKEN_FORMAT = /^gh[a-z]_/
+
+    def requires_fresh_login?
+      github_access_token.present? && !github_access_token.match(GITHUB_TOKEN_FORMAT)
+    end
+
     private
 
+    def discard_outdated_credentials!
+      if encrypted_github_access_token_before_type_cast.present?
+        begin
+          encrypted_github_access_token
+        rescue ActiveRecord::Encryption::Errors::Decryption
+          update_column(:encrypted_github_access_token, nil)
+        end
+      end
+    end
+
     def identify_renamed_user!
       last_commit = commits.last
       return unless last_commit

data/app/serializers/shipit/stack_serializer.rb

@@ -8,7 +8,7 @@ module Shipit
     attributes :id, :repo_owner, :repo_name, :environment, :html_url, :url, :tasks_url, :deploy_url,
       :merge_requests_url, :deploy_spec, :undeployed_commits_count, :is_locked, :lock_reason, :continuous_deployment,
       :created_at, :updated_at, :locked_since, :last_deployed_at, :branch, :merge_queue_enabled, :is_archived,
-      :archived_since
+      :archived_since, :ignore_ci
 
     def url
       api_stack_url(object)

data/app/views/shipit/deploys/_deploy.html.erb

@@ -55,11 +55,7 @@
   <% unless read_only %>
     <div class="deploy-actions">
       <% if deploy.rollbackable? %>
-        <% if deploy.stack.active_task? %>
-          <%= link_to 'Deploy in progress...', '#', class: 'btn disabled deploy-action' %>
-        <% else %>
-          <%= link_to 'Rollback to this deploy...', rollback_stack_deploy_path(@stack, deploy), class: 'btn btn--delete deploy-action rollback-action' %>
-        <% end %>
+        <%= rollback_button(deploy) %>
       <% elsif deploy.currently_deployed? && !deploy.stack.active_task? %>
         <%= redeploy_button(deploy.until_commit) %>
       <% end %>

data/app/views/shipit/stacks/_banners.html.erb

@@ -23,7 +23,7 @@
           <%= link_to stack.github_repo_name, github_repo_url(stack.repo_owner, stack.repo_name) %>
           has been inaccessible for <%= time_ago_in_words(stack.inaccessible_since) %>.
 
-          This could be a permission issue, or the repository have been deleted on GitHub.
+          This could be a permission issue, or the repo could have changed on GitHub.
         </p>
       </div>
     </div>

data/app/views/shipit/stacks/_settings_form.erb

@@ -0,0 +1,55 @@
+<div class="setting-section">
+	<%= form_with scope: :stack, url: stack_path(stack), method: :patch do |f| %>
+		<div class="field-wrapper">
+			<%= f.label :environment %>
+			<%= f.text_field :environment, placeholder: 'production' %>
+		</div>
+
+		<div class="field-wrapper">
+			<span>Branch: <%= stack.branch %></span>
+		</div>
+
+		<div class="field-wrapper">
+			<%= f.label :deploy_url, 'Deploy URL (Where is this stack deployed to?)' %>
+			<%= f.text_field :deploy_url, placeholder: 'https://' %>
+		</div>
+
+		<div class="field-wrapper">
+			<%= f.check_box :continuous_deployment %>
+			<%= f.label :continuous_deployment, 'Enable continuous deployment' %>
+		</div>
+
+		<div class="field-wrapper">
+			<%= f.check_box :merge_queue_enabled %>
+			<%= f.label :merge_queue_enabled, 'Enable merge queue' %>
+		</div>
+
+		<div class="field-wrapper">
+			<%= f.check_box :ignore_ci %>
+			<%= f.label :ignore_ci, "Don't require CI to deploy" %>
+		</div>
+
+		<%= f.submit class: "btn", value: "Save" %>
+	<% end %>
+</div>
+
+<div class="setting-section">
+	<h5>Lock deploys</h5>
+	<%= form_with scope: :stack, url: stack_path(@stack), method: :patch do |f| %>
+		<div class="field-wrapper">
+			<%= f.label :lock_reason, 'Reason for lock' %>
+			<%= f.text_area :lock_reason %>
+		</div>
+		<% if @stack.locked? %>
+			<%= f.submit class: "btn", value: "Update Reason" %>
+		<% else %>
+				<%= f.submit class: "btn", value: "Lock" %>
+		<% end %>
+	<% end %>
+	<% if @stack.locked? %>
+		<%= form_with scope: :stack, url: stack_path(@stack), method: :patch do |f| %>
+			<%= f.hidden_field :lock_reason, value: nil %>
+			<%= f.submit class: "btn btn--primary", value: "Unlock" %>
+		<%- end -%>
+	<% end %>
+</div>