Skip to content

Commit 4bafa0f

Browse files
authored
avoid processing deployments from other github apps (#196)
1 parent d0ebd10 commit 4bafa0f

2 files changed

Lines changed: 25 additions & 0 deletions

File tree

cabotage/celery/tasks/github.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,15 @@ def _resolve_app_env_for_hook(installation_id, repository_name, environment):
117117
def process_deployment_hook(hook):
118118
installation_id = hook.payload["installation"]["id"]
119119
deployment = hook.payload["deployment"]
120+
121+
# Only process deployments created by this app's bot
122+
if deployment["creator"]["login"] != github_app.bot_login:
123+
print(
124+
f"ignoring deployment created by {deployment['creator']['login']} "
125+
f"(not {github_app.bot_login})"
126+
)
127+
return False
128+
120129
environment = deployment["environment"]
121130
repository_name = hook.payload["repository"]["full_name"]
122131
commit_sha = hook.payload["deployment"]["sha"]

cabotage/server/ext/github_app.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ def init_app(self, app):
2121
self.app_private_key_pem = None
2222
self._bearer_token = None
2323
self._bearer_token_exp = -1
24+
self._bot_login = None
2425

2526
if app.config["GITHUB_WEBHOOK_SECRET"]:
2627
self.webhook_secret = app.config["GITHUB_WEBHOOK_SECRET"]
@@ -65,6 +66,21 @@ def bearer_token(self):
6566
self._bearer_token_exp = issued + 599
6667
return self._bearer_token
6768

69+
@property
70+
def bot_login(self):
71+
if self._bot_login is None:
72+
resp = requests.get(
73+
"https://api.github.com/app",
74+
headers={
75+
"Accept": "application/vnd.github+json",
76+
"Authorization": f"Bearer {self.bearer_token}",
77+
},
78+
timeout=10,
79+
)
80+
resp.raise_for_status()
81+
self._bot_login = f"{resp.json()['slug']}[bot]"
82+
return self._bot_login
83+
6884
def fetch_installation_access_token(self, installation_id):
6985
access_token_response = requests.post(
7086
f"https://api.github.com/app/installations/{installation_id}/access_tokens",

0 commit comments

Comments
 (0)