Drone Fork Approval Extension
🔌 Fork Approval is a simple Drone Validation Extension
that ensures every PR originating from a fork must have its Drone CI build
approved before it will run.
Perhaps you're worried about OSS contributors running crypto miners?
Perhaps you'd like to use privileged containers in your PR pipeline?
Fork Approval can help you do so safely!
Usage
- Create a shared secret:
$ DRONE_SECRET="$(openssl rand -base64 32)"
- Run the container:
$ docker run --detach \
--restart=always \
--publish=3888:3888 \
--env=DRONE_SECRET \
--name=drone-approval \
wadells/drone-fork-approval-extension:0.2.0
- Update your Drone server configuration
to include the plugin address and the shared secret.
DRONE_VALIDATE_PLUGIN_ENDPOINT=https://<your plugin host>:3888
DRONE_VALIDATE_PLUGIN_SECRET=<your secret>
Caveats
wadells/drone-fork-approval-extension
does not publish a :latest
tag.
Choose a fixed version, or better yet, build and host a copy. Relying
on a 3rd party image repository for security of CI is not a great idea.
This extension does not support HTTPS in its go configuration. Please
put it behind nginx or host the extension
on the same system that hosts your main drone server.
This extension has only been tested with GitHub.
Development
Run make help
for a list of targets.
Design
Drone Fork Approval is intentionally limited in scope to keep its
security implications understandable and limited. The entire approval
workflow is summarized below:
GitHub Drone Fork Approval
| webhook | |
| ------------->| .Validate() |
| | ------------->|
| | (source repo == target repo)? 200 : 499
(if 499, wait |<------------- |
for approval) | |
|
Drone User |
| approval | Drone Runner
| ------------->| |
| | --------------------->|
| | (execution begins)
For more information on the validation trigger logic, see: