🚀 GoCD mergeable - Github Action

A Github Action for verifying changes done to the GoCD config repository.

On every check-in or a pull request, GoCD mergeable action verifies whether modifications done to the GoCD configuration files are valid or not by performing the GoCD preflight check on the specified config repository.

Usage

See action.yml For comprehensive list of options.

Example

Checkout GoCD mergeable YAML Example master branch and pull request for live examples.

Basic

Note: Do not specify GOCD_ADMIN_ACCESS_TOKEN as a plain text value.
Use Github Secrets for specifying the secret access token.

on: [push]
jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/gocd-mergeable@v1.1.0
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Validate on pull requests

on: [pull_request]
jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/gocd-mergeable@v1.1.0
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Trigger validation only when configurations changes

GoCD’s pipeline as code allows the pipeline configurations to be defined where the source is (same git repository).
But we often don’t make changes to the pipeline configurations and thus can avoid GoCD mergeable bot check by whitelisting the config files.

on:
  push:
    paths:
    - '.gocd/*.gocd.yml'
    - '.gocd/*.gocd.yaml'
jobs:
  verify_config_repository:
    runs-on: ubuntu-latest
    name: verify config repository changes
    steps:
      - name: Git checkout
        uses: actions/checkout@v2
      - name: Verify Config Merge
        uses: GaneshSPatil/gocd-mergeable@v1.1.0
        with:
          GOCD_SERVER_URL: 'https://gocdserverurl.com/go'
          GOCD_ADMIN_ACCESS_TOKEN: ${{ secrets.GOCD_ADMIN_ACCESS_TOKEN }}
          GOCD_CONFIG_REPOSITORY_ID: 'config-repo-id'

Output

Following is an example of successful GoCD mergeable run, when the config repository configurations are valid and can be successfully merged with GoCD.

GoCD mergeable Success Output

Following is an example of failed GoCD mergeable run, when the config repository configurations has some errors (and/or is invalid).

GoCD mergeable Failed Output

A note about security

YAML and JSON plugins do not execute user code because they only parse yaml and json files with pipeline definitions. However, GoCD groovy DSL plugin will evaluate untrusted code on the GoCD server, so beware of the risk that involves:

Enabling GoCD mergeable Github Action for pull requests on a groovy config public repository can allow a malicious Github user to do significant damage by running a script as part of the pull request that steal keys and secrets, remove files and directories, install malware, etc on the GoCD Server.

It is recommended to configure GoCD mergeable Github Action to be executed only on trusted check-ins.

Evaluating the groovy code in a sandbox is currently a work in progress for the groovy plugin.

License

GoCD mergeable is an open source project, under the Apache License, Version 2.0.

Contributions

Contributions are welcome! See Contributor’s Guide