Implement Git Hooks on Leb.epa.gov about enviroatlas HOT 5 CLOSED

http://ryanflorence.com/deploying-websites-with-a-tiny-git-hook/
https://developer.github.com/webhooks/configuring/
https://ngrok.com/

from enviroatlas.

Progress report - might be just about there, but need to summarize to make my head less fuzzy.

There's now a GitHubAutoDeploy folder on leb.epa.gov here:
D:\Public\Server\Apps\GitHubAutoDeploy

Inside is an example script from this repository:
https://github.com/logsol/Github-Auto-Deploy
it's a pretty simple python script - basically runs a tiny web service that does nothing more than listen for a GitHub WebHook payload, and if it receives one that matches the configured URL/path combination, it fires a git pull request in that directory, updating the repository with the latest code.

Now obviously the leb server is on the EPA intranet, so how on earth could it be listening for payloads from the outside world? Oddly, this turned out to be the easy part. A little program called ngrok.exe (referenced above), that we should be able to run as a windows service, opens a tiny secure tunnel that we can use to expose the python web service to GitHub - and lock it down to only that channel, so it can't be misused. Configuring our webhook in GitHub is also easy, also documented above.

The remaining challenge that I've yet to work my way through is the security around the git pull request in the script. The script was written to fetch from public repos, and since ours is private, I haven't yet figured out the oauth token integration to allow the pull to proceed without prompting for credentials. Anyway, wanted to share.

from enviroatlas.

So close, just seem to be missing something. I should be able to cache my password in Git:
https://help.github.com/articles/caching-your-github-password-in-git/
but while it works in the Git Bash shell (installed along with GitHub for Windows client) it doesn't seem to be respected by the older git client on the machine (which is called from the command line). And can't see anything stored in the windows credential manager. There's a newer credential.helper from Microsoft:
https://github.com/Microsoft/Git-Credential-Manager-for-Windows
but it doesn't appear to be supported on Server 2008 (anybody else notice that Google is pulling support for Chrome from Server 2008? Wonder when the NCC is going to upgrade?)

Next step is to tweak the environment variables to default to the newer git client.

from enviroatlas.

Ok, so the problem was simply that we had a really old version of Git on the LEB server, from 2010, that didn't have the necessary libraries. Upgrading to the latest version of SCM Git did the trick. Per the doc above, saving your GitHub credentials just requires running this command:
git config --global credential.helper wincred
and then performing a pull.
This will need to be done by the user whose account is used to run the service. Confirmed service is running and receiving requests - something is funky about the specified path - need to debug that piece and configure service to be running full-time. Right now it only runs manually.

from enviroatlas.

Ok, had to use NSSM to run the mini web server as a service:
http://www.nssm.cc/
We use this for the GeoPlatform dashboard, pretty nifty.

So here's the final deal. Two services are running - ngrok, which is polling GitHub for updates, and GitAutoDeploy, which pulls updated code down to the LEB server. The status of ngrok can be viewed from the local dashboard (http://localhost:4040 on the LEB server). If the ngrok service restarts, it will be assigned a new URL, shown on that dashboard. That URL needs to be manually updated in our GitHub Repository WebHook configuration: https://github.com/Innovate-Inc/EnviroAtlas/settings/hooks/7263082 The GitAutoDeploy service must run as a user whose Git credentials are stored using the wincred method described above. It's currently running as me, I'll need to make sure to update my password every 90 days. I think that means we can finally close this issue, but let's let a few pull requests go by first.

from enviroatlas.