Auto-deployment via Github

I’ve set up a barebones auto-deployment using Github’s Webhooks. It’s probably not the most secure of systems, and got increasingly more insecure (to my mind) as I had to work around *nix quirks.

For starters, I set up a webhook to point at a deploy.php file on my web server which parses the payload and checks to make sure that the secret key matches and it is in fact coming from Github.

I then set up a deploy shell script (which should in the repository) which has the setuid bit set (u+s) which means that anyone running that file should be running as the file owner. This would allow PHP to call this script and not have to worry about potential security issues. Sadly, this turned out not to be possible because *nix in its infinite wisdom has decided to not allow shell scripts to run using setuid bits. It’ll automatically revert to the user actually calling (in this case the www-user).

With that option blocked, I had to do what I consider more insecure, and definitely more annoying, which is adding a line to sudoers which allows the www-user to call this script with no password with a sudo line, running as the file owner.

Moving back to the PHP script, I added this sudo call which worked, however I was still having issues actually running the git commands, however with no output. I eventually realised that PHP’s execute doesn’t display stderr at all, and thus had to pipe it to stdout, which actually told me that my git commands were being blocked due to a notification I had to suppress by setting a config option.

That done, I now have an auto-deployment system based on webhooks. As I submit the final version of this, it’ll get immediately pushed up to my server, a git pull will be run, hugo will be run, then the files will get copied over to my web root. Fantastic.