Auto-deployment via Github

I’ve set up a barebones auto-deployment using Github’s Webhooks. It’s probably not the most secure of systems, and got increasingly more insecure (to my mind) as I had to work around *nix quirks.

For starters, I set up a webhook to point at a deploy.php file on my web server which parses the payload and checks to make sure that the secret key matches and it is in fact coming from Github.

I then set up a deploy shell script (which should in the repository) which has the setuid bit set (u+s) which means that anyone running that file should be running as the file owner. This would allow PHP to call this script and not have to worry about potential security issues. Sadly, this turned out not to be possible because *nix in its infinite wisdom has decided to not allow shell scripts to run using setuid bits. It’ll automatically revert to the user actually calling (in this case the www-user).

With that option blocked, I had to do what I consider more insecure, and definitely more annoying, which is adding a line to sudoers which allows the www-user to call this script with no password with a sudo line, running as the file owner.

Moving back to the PHP script, I added this sudo call which worked, however I was still having issues actually running the git commands, however with no output. I eventually realised that PHP’s execute doesn’t display stderr at all, and thus had to pipe it to stdout, which actually told me that my git commands were being blocked due to a notification I had to suppress by setting a config option.

That done, I now have an auto-deployment system based on webhooks. As I submit the final version of this, it’ll get immediately pushed up to my server, a git pull will be run, hugo will be run, then the files will get copied over to my web root. Fantastic.

Site Explanation

I have slightly modified the website to customise the menu and post display slightly. It was actually surprisingly easy.

Initially, I wanted to add two post types (blog post and project), and have the sidebar menu display both as separate categories, with a sublist showing the actual items (to limit the number when (if) I write enough of them to merit it).

This was very simple, literally a matter of adding another iteration over the menu types themselves after the initial iteration over the menu entries of the “main” menu.

{{ range $index, $element := .Site.Menus }}
    {{ if not ( eq $index "main" )}}
        {{ $index }}
      <ul class="submenu-nav">
        {{ range $entry := $element }}
          <li><a href="{{.URL}}"> {{ .Name }} </a></li>

Easily done. Next was a simple modification of the main page to only display posts on the index page that are in the “Blog” category (not menu). This’ll allow me to have blog posts that double as projects, even temporarily.

{{ range .Data.Pages }}
    {{ if in .Params.categories "Blog" }}
    <div class="post">
      <h1 class="post-title">
        <a href="{{ .Permalink }}">
          {{ .Title }}

      <span class="post-date">{{ .Date.Format "Mon, Jan 2, 2006" }}</span>

      {{ .Content }}
    {{ end }}
{{ end }}

Hello, world!

Hello world! This is my first attempt at a Hugo-backed site.