Support private repos (#13)

* Temporarily print branch

* Attempt to get and print fake secret

* Add rootUrl in attempt to fix secrets fetch error

* Try mimicking taskcluster-gha ts code for getting secrets

* Try another way

* Try gather_secrets from decision task to prevent leaks

* Try even earlier

* Still no

* Ah, probably was missing filtered print

* Experiment

* Test sanity by doing it the wrong way

* Try again

* Revert "Try again"

This reverts commit db5d1c8.

* Revert "Test sanity by doing it the wrong way"

This reverts commit bc904dd.

* Try this way

* Attempt to get commit message with authentication

* Python understandably didn't like that

* Sanity check

* Use API url

* Diff cleanup

* Remove test print

* Attempt to get build config with authentication

* Add comment about necessity for secrets and preventing accidental leaks

* Refactor and test still secure

* Remove test

* Fix config fetch secret

* Attempt refactor and verify security

* Don't repeat getting github token, move to utils

* Don't print full commit message in addition to shortened one

* Revert "Temporarily print branch"

This reverts commit 0183e08.

Author: dylanhand

decisionlib.py

@@ -29,6 +29,13 @@
 import utils
 import yaml
 
+# The decision task needs access to secrets in order to support private repos.
+# Replace standard print with filtered_print and gather_secrets (as in runner.py) 
+# to prevent accidental secrets leaking
+from utils import github_token 
+from runner import filtered_print, gather_secrets
+print = filtered_print
+gather_secrets()
 
 # Public API
 __all__ = [
@@ -107,13 +114,15 @@ def index_path(self):
     def commit_message(self):
         if self._commit_message is None:
             print("Getting commit message")
-            print(
-                f"https://github.com/{os.environ['REPO_FULL_NAME']}/commit/{self.git_sha}.patch"
-            )
-            commit = requests.get(
-                f"https://github.com/{os.environ['REPO_FULL_NAME']}/commit/{self.git_sha}.patch"
-            ).text
-            print(commit)
+            url = f"https://api.github.com/repos/{os.environ['REPO_FULL_NAME']}/commits/{self.git_sha}"
+            print(url)
+
+            headers = {
+                "Authorization": f"token {github_token()}",
+                "Accept": "application/vnd.github.v3.patch",
+            }
+            commit = requests.get(url, headers=headers).text
+            # print(commit)
             self._commit_message = commit.split("diff --git a/")[0]
             print(self._commit_message)
         return self._commit_message
@@ -122,8 +131,12 @@ def commit_message(self):
     def tc_config(self):
         if self._tc_config is None:
             try:
-                config = requests.get(
-                    f"https://raw.githubusercontent.com/{os.environ['REPO_FULL_NAME']}/{self.git_sha}/.build-config.yml").text
+                url = f"https://raw.githubusercontent.com/{os.environ['REPO_FULL_NAME']}/{self.git_sha}/.build-config.yml" 
+                headers = {
+                    "Authorization": f"token {github_token()}",
+                    "Accept": "application/vnd.github.v3.raw",
+                }
+                config = requests.get(url, headers=headers).text
                 self._tc_config = yaml.load(config, Loader=yaml.FullLoader)
             except yaml.YAMLError:
                 raise

utils.py

@@ -69,3 +69,17 @@ def create_extra_artifact(path: str, content: bytes, public=False):
     result = loop.run_until_complete(coro)
     loop.close()
     return result
+
+
+def secrets():
+    client = taskcluster.Secrets({
+        "rootUrl": os.environ["TASKCLUSTER_PROXY_URL"] 
+    })
+    secrets = client.get("divvun")
+    loadedSecrets = secrets["secret"]
+    return loadedSecrets
+
+
+def github_token():
+    sec = secrets()
+    return sec["github"]["token"]