Replace the single global webhook secret with entity-scoped secrets stored
on each project and static site. Webhook-driven project autocreate is
removed — projects must exist before their URL can trigger deploys.
Also wires static-site webhooks (sync_trigger=push|tag), turning the
previously inert "push" trigger into a functional one: POST the site's
webhook URL from a Git provider and Tinyforge re-syncs on matching refs.
- Adds webhook_secret columns + unique indexes to projects and static_sites
- Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook
and /api/sites/{id}/webhook (admin-only)
- Removes /api/settings/webhook-url and the global webhook panel
- Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru
- Tests for matcher (siteRefMatches, ParseImageRef) and handler (project
match/mismatch/404 and site push/manual/branch-skip)
This commit is contained in:
+83
-16
@@ -8,16 +8,25 @@ import (
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// CreateProject inserts a new project and returns it.
|
||||
// projectCols is the canonical column list for projects queries.
|
||||
const projectCols = `id, name, registry, image, port, healthcheck, env, volumes,
|
||||
npm_access_list_id, webhook_secret, created_at, updated_at`
|
||||
|
||||
// CreateProject inserts a new project and returns it. A webhook secret is
|
||||
// generated automatically if one is not already set on the input.
|
||||
func (s *Store) CreateProject(p Project) (Project, error) {
|
||||
p.ID = uuid.New().String()
|
||||
p.CreatedAt = Now()
|
||||
p.UpdatedAt = p.CreatedAt
|
||||
if p.WebhookSecret == "" {
|
||||
p.WebhookSecret = uuid.New().String()
|
||||
}
|
||||
|
||||
_, err := s.db.Exec(
|
||||
`INSERT INTO projects (id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes, p.NpmAccessListID, p.CreatedAt, p.UpdatedAt,
|
||||
`INSERT INTO projects (`+projectCols+`)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
|
||||
p.NpmAccessListID, p.WebhookSecret, p.CreatedAt, p.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return Project{}, fmt.Errorf("insert project: %w", err)
|
||||
@@ -29,9 +38,9 @@ func (s *Store) CreateProject(p Project) (Project, error) {
|
||||
func (s *Store) GetProjectByID(id string) (Project, error) {
|
||||
var p Project
|
||||
err := s.db.QueryRow(
|
||||
`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
|
||||
FROM projects WHERE id = ?`, id,
|
||||
).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt)
|
||||
`SELECT `+projectCols+` FROM projects WHERE id = ?`, id,
|
||||
).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
|
||||
&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return Project{}, fmt.Errorf("project %s: %w", id, ErrNotFound)
|
||||
}
|
||||
@@ -41,11 +50,30 @@ func (s *Store) GetProjectByID(id string) (Project, error) {
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// GetProjectByWebhookSecret looks up a project by its webhook secret.
|
||||
// Returns ErrNotFound if no project has this secret (including empty).
|
||||
func (s *Store) GetProjectByWebhookSecret(secret string) (Project, error) {
|
||||
if secret == "" {
|
||||
return Project{}, ErrNotFound
|
||||
}
|
||||
var p Project
|
||||
err := s.db.QueryRow(
|
||||
`SELECT `+projectCols+` FROM projects WHERE webhook_secret = ?`, secret,
|
||||
).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
|
||||
&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return Project{}, ErrNotFound
|
||||
}
|
||||
if err != nil {
|
||||
return Project{}, fmt.Errorf("query project by webhook secret: %w", err)
|
||||
}
|
||||
return p, nil
|
||||
}
|
||||
|
||||
// GetAllProjects returns every project ordered by name.
|
||||
func (s *Store) GetAllProjects() ([]Project, error) {
|
||||
rows, err := s.db.Query(
|
||||
`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
|
||||
FROM projects ORDER BY name`,
|
||||
`SELECT ` + projectCols + ` FROM projects ORDER BY name`,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("query projects: %w", err)
|
||||
@@ -55,7 +83,8 @@ func (s *Store) GetAllProjects() ([]Project, error) {
|
||||
projects := []Project{}
|
||||
for rows.Next() {
|
||||
var p Project
|
||||
if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt); err != nil {
|
||||
if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
|
||||
&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
|
||||
return nil, fmt.Errorf("scan project: %w", err)
|
||||
}
|
||||
projects = append(projects, p)
|
||||
@@ -66,8 +95,7 @@ func (s *Store) GetAllProjects() ([]Project, error) {
|
||||
// GetProjectsByImage returns all projects using the given image, newest first.
|
||||
func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
|
||||
rows, err := s.db.Query(
|
||||
`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
|
||||
FROM projects WHERE image = ? ORDER BY created_at DESC`, image,
|
||||
`SELECT `+projectCols+` FROM projects WHERE image = ? ORDER BY created_at DESC`, image,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("query projects by image: %w", err)
|
||||
@@ -77,7 +105,8 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
|
||||
projects := []Project{}
|
||||
for rows.Next() {
|
||||
var p Project
|
||||
if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt); err != nil {
|
||||
if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
|
||||
&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
|
||||
return nil, fmt.Errorf("scan project: %w", err)
|
||||
}
|
||||
projects = append(projects, p)
|
||||
@@ -85,13 +114,16 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
|
||||
return projects, rows.Err()
|
||||
}
|
||||
|
||||
// UpdateProject updates an existing project's mutable fields.
|
||||
// UpdateProject updates an existing project's mutable fields. Webhook secret
|
||||
// is intentionally not updated here — use SetProjectWebhookSecret instead.
|
||||
func (s *Store) UpdateProject(p Project) error {
|
||||
p.UpdatedAt = Now()
|
||||
result, err := s.db.Exec(
|
||||
`UPDATE projects SET name=?, registry=?, image=?, port=?, healthcheck=?, env=?, volumes=?, npm_access_list_id=?, updated_at=?
|
||||
`UPDATE projects SET name=?, registry=?, image=?, port=?, healthcheck=?, env=?, volumes=?,
|
||||
npm_access_list_id=?, updated_at=?
|
||||
WHERE id=?`,
|
||||
p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes, p.NpmAccessListID, p.UpdatedAt, p.ID,
|
||||
p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
|
||||
p.NpmAccessListID, p.UpdatedAt, p.ID,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("update project: %w", err)
|
||||
@@ -103,6 +135,41 @@ func (s *Store) UpdateProject(p Project) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetProjectWebhookSecret assigns a webhook secret to a project.
|
||||
// Pass an empty string to disable webhook access for the project.
|
||||
func (s *Store) SetProjectWebhookSecret(id, secret string) error {
|
||||
result, err := s.db.Exec(
|
||||
`UPDATE projects SET webhook_secret=?, updated_at=? WHERE id=?`,
|
||||
secret, Now(), id,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("set project webhook secret: %w", err)
|
||||
}
|
||||
n, _ := result.RowsAffected()
|
||||
if n == 0 {
|
||||
return fmt.Errorf("project %s: %w", id, ErrNotFound)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// EnsureProjectWebhookSecret returns the current webhook secret for a project,
|
||||
// generating one on the fly if the stored value is empty (lazy backfill for
|
||||
// projects created before the per-project webhook migration).
|
||||
func (s *Store) EnsureProjectWebhookSecret(id string) (string, error) {
|
||||
project, err := s.GetProjectByID(id)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if project.WebhookSecret != "" {
|
||||
return project.WebhookSecret, nil
|
||||
}
|
||||
secret := uuid.New().String()
|
||||
if err := s.SetProjectWebhookSecret(id, secret); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
// DeleteProject removes a project by ID. Cascading deletes handle stages, instances, and deploys.
|
||||
func (s *Store) DeleteProject(id string) error {
|
||||
result, err := s.db.Exec(`DELETE FROM projects WHERE id = ?`, id)
|
||||
|
||||
Reference in New Issue
Block a user