forked from moztw/www.moztw.org
-
Notifications
You must be signed in to change notification settings - Fork 0
/
git-received.php
66 lines (56 loc) · 2.12 KB
/
git-received.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
// Github will hit this URL with POST requests when you push, passing along information about the push.
// More information can be found at: https://help.github.com/en/articles/about-githubs-ip-addresses
//
// TODO: Add code to verify request using X-GitHub-Delivery header
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.github.com/meta");
curl_setopt($ch, CURLOPT_USERAGENT, "PHP"); // GitHub requires User Agent to be sent
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
$gh_data = json_decode(curl_exec($ch), true);
curl_close($ch);
$gh_whitelist = $gh_data["hooks"];
$clientip_DEC = $_SERVER["REMOTE_ADDR"];
$payload = json_decode($_POST["payload"]);
$checkPayload = $payload && (strpos($_SERVER["HTTP_USER_AGENT"], "GitHub-Hookshot") !== FALSE);
function checkIPAddr( $ipaddr, $validrange ) {
if ( !strpos( $validrange, "/" ) ) {
$validrange .= "/32";
}
list( $validrange, $netmask ) = explode( "/", $validrange, 2 );
$validrange_DEC = ip2long( $validrange );
$ipaddr_DEC = ip2long( $ipaddr );
$wildcard_DEC = 2 ** ( 32 - $netmask ) - 1;
return ( $ipaddr_DEC >= $validrange_DEC ) && ( $ipaddr_DEC < $validrange_DEC + $wildcard_DEC );
}
foreach ($gh_whitelist as $validip) {
// 檢查來源 IP 是否在白名單中
$output = checkIPAddr($clientip_DEC, $validip);
if ($output && $checkPayload) {
$cmd = "/home/moztw/repo/base/autoupdate/update.sh";
$opt = "";
$branch = "";
if ($payload->ref === "refs/heads/production") {
//production
$branch = " www";
echo("is production\n");
} elseif ($payload->ref === "refs/heads/master") {
//stage
$branch = " stage";
echo("is stage\n");
} else {
http_response_code(400);
die("!!!Wrong payload.");
}
// $opt = " md5 cache"; // TODO: updating MD5 and SHTML cache will cause timeout for GitHub, comment out for now
$cmd = $cmd . $branch . $opt . " 2>&1";
echo($cmd . "\n");
system($cmd);
http_response_code(200);
die("Updated Successfully.");
}
}
http_response_code(400);
die("!!!Invalid arguments given or not from Github.");
?>