slaesvuo/hledger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tools: move site.sh into shake; stop running just-pushed shakefile

Browse Source 
Running the just pushed Shake.hs was too insecure.

[ci skip]
This commit is contained in:
Simon Michael 2019-03-06 07:59:51 -08:00
parent 61e053bd8e
commit 7af5ee4863
3 changed files with 42 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -705,10 +705,14 @@ site-livereload: \
# /etc/github-post-receive.conf
# 2. cron, nightly. Config: /etc/crontab
# 3. manually (make site).
# This must use the existing Shake executable without rebuilding it,
# as we don't want to immediately execute new code from any collaborator.
.PHONY: site
site: \
$(call def-help,site, update the hledger.org website (run on prod) )
@tools/site.sh
@[[ ! -x Shake ]] \
&& echo 'Please run "make Shake" first (manual compilation of Shake.hs is required)' \
|| ./Shake hledgerorg
###############################################################################
$(call def-help-subheading,RELEASING:)

37
Shake.hs
View File

@ -24,6 +24,7 @@ tools, including:
- makeinfo
- pandoc
- sed
- GNU date (on mac: brew install coreutils)
Compiling this script is recommended, to ensure required packages are
installed, minimise startup delay, and reduce sensitivity to the
@ -77,6 +78,7 @@ usage = unlines
,"./Shake website build the website and web manuals"
,"./Shake website-all build the website and all web manual versions"
,"./Shake all build all the above"
,"./Shake hledgerorg update the hledger.org website (when run on prod)"
,""
,"./Shake mainpages build the web pages from the main repo"
,"./Shake wikipages build the web pages from the wiki repo"
@ -437,6 +439,41 @@ main = do
"--lua-filter=tools/pandoc-toc.lua"
"-o" out )
-- This rule, for updating the live hledger.org site, gets called by:
-- 1. github-post-receive (github webhook handler), when something is pushed
-- to the main or wiki repos on Github. Config:
-- /etc/supervisord.conf -> [program:github-post-receive]
-- /etc/github-post-receive.conf
-- 2. cron, nightly. Config: /etc/crontab
-- 3. manually (make site).
phony "hledgerorg" $ do
-- out1 <- fromStdout <$>
cmd_ Shell
-- XXX ideally we would ensure here that output is logged,
-- but I don't know how to do that for the Shake rules.
-- Instead we'll do the logging in "make site".
-- -- run this sequence of commands, stopping if one fails:
-- "("
-- -- and log all output as well as echoing it
-- ") 2>&1 | tee -a site.log"
-- print timestamp. On mac, use brew-installed GNU date.
"echo"
"&& PATH=\"/usr/local/opt/coreutils/libexec/gnubin:$PATH\" date --rfc-3339=seconds"
-- pull latest wiki repo
"&& printf 'wiki repo: ' && git -C wiki pull"
-- pull latest main repo - sometimes already done by webhook, not always
"&& printf 'main repo: ' && git pull"
-- Shake.hs might have been updated, but we won't execute the
-- new one, too insecure. Continue with this one.
-- update wiki links on website front page
need [ "site/index.md" ]
-- update the live site based on all latest content
need [ "website-all" ]
-- HLEDGER PACKAGES/EXECUTABLES
phony "build" $ need packages

36
tools/site.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Update website(s): hledger.org
#
# Called via github webhook (on push to main repo or wiki)
# /etc/supervisord.conf -> [program:github-post-receive]
# /etc/github-post-receive.conf
# and via cron (nightly)
# /etc/crontab
# or manually (make site)
(\
echo && \
# print timestamp. On mac, use brew-installed GNU date.
PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH" date --rfc-3339=seconds && \
# fetch latest code & website - sometimes already done by webhook, not always
git pull && \
# fetch latest wiki content
printf "wiki: " && git -C wiki pull && \
# ensure GHC can handle non-ascii
export LANG=en_US.UTF-8 && \
# ensure latest Shake is built
./Shake.hs && \
# update website
./Shake site/index.md && \
./Shake website \
# print and log to:
) 2>&1 | tee -a site.log