fetch-docs: pull and publish docs from CI (replaces buildbot doc rsync)#2
Open
grandixximo wants to merge 2 commits into
Open
fetch-docs: pull and publish docs from CI (replaces buildbot doc rsync)#2grandixximo wants to merge 2 commits into
grandixximo wants to merge 2 commits into
Conversation
Cron-friendly, stdlib-only Python that replaces the buildbot doc rsync. Picks the newest non-expired linuxcnc-doc artifact built on the given branch by the trusted repo (head_repository_id, so a fork PR cannot inject docs), verifies its sha256, unpacks it, sanity-checks the tree (index.html present, no PHP tags, no executables, no path traversal), then swaps the served html symlink atomically and prunes to the live release plus one. Skips if the live artifact is already deployed, silent on success. Branch and webroot are arguments, so one cron line serves devel and one serves stable: fetch-docs master /path/to/docs/devel fetch-docs 2.9 /path/to/docs/stable
But it seems not verified that the token file actually has permissions 0600 (or 0400). |
The header recommended chmod 600 for the token file but nothing enforced it. Verify the mode before reading and abort if any group/other bit is set, like ssh does for private keys.
Author
|
Good catch. The chmod 600 was only a hint in the comment, never enforced. It now stats the token file and refuses to run if any group/other bit is set, like ssh does for private keys. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the doc fetch-and-publish step for the webserver, moved here from LinuxCNC/wlo#42 after discussion: it is operational, not website content, so it belongs in infrastructure alongside
emc2-doc-buildandrsync-*-wlo.Background: since the doc build layout changed, linuxcnc.org/docs/devel stopped updating. CI now builds and uploads the docs as an artifact (LinuxCNC/linuxcnc#4150); this pulls and publishes it on the webserver, replacing the buildbot doc rsync.
fetch-docsis a cron-friendly, stdlib-only Python script. It:linuxcnc-docartifact built on the given branch by the trusted repo (head_repository_id, so a fork PR cannot inject docs),sha256digest,htmlsymlink atomically and prunes to the live release plus one,Branch and webroot are arguments, so one cron line serves devel and one serves stable:
Trust model (per @BsAtHome): meant to run as a separately deployed, vetted local copy, not executed from a checkout. The token is read from a chmod-600 file (
actions:read), branch and webroot are arguments, nothing operational is hardcoded.Notes for whoever runs the server:
WEBROOT, token path, and the cron schedule are set locally.docs/(an rsync--deletewould clobber what this publishes).@andypugh @SebKuzminsky this is a starting point, happy to adjust paths, language, or trim.