README
¶
Drone Fork Approval Extension
🔌 Fork Approval is a simple Drone Validation Extension that ensures every PR originating from a fork must have its Drone CI build approved before it will run.
Perhaps you're worried about OSS contributors running crypto miners? Perhaps you'd like to use privileged containers in your PR pipeline?
Fork Approval can help you do so safely!
Usage
- Create a shared secret:
$ DRONE_SECRET="$(openssl rand -base64 32)"
- Run the container:
$ docker run --detach \
--restart=always \
--publish=3888:3888 \
--env=DRONE_SECRET \
--name=drone-approval \
wadells/drone-fork-approval-extension:0.2.0
- Update your Drone server configuration to include the plugin address and the shared secret.
DRONE_VALIDATE_PLUGIN_ENDPOINT=https://<your plugin host>:3888
DRONE_VALIDATE_PLUGIN_SECRET=<your secret>
Caveats
wadells/drone-fork-approval-extension does not publish a :latest tag.
Choose a fixed version, or better yet, build and host a copy. Relying
on a 3rd party image repository for security of CI is not a great idea.
This extension does not support HTTPS in its go configuration. Please put it behind nginx or host the extension on the same system that hosts your main drone server.
This extension has only been tested with GitHub.
Development
Run make help for a list of targets.
Design
Drone Fork Approval is intentionally limited in scope to keep its security implications understandable and limited. The entire approval workflow is summarized below:
GitHub Drone Fork Approval
| webhook | |
| ------------->| .Validate() |
| | ------------->|
| | (source repo == target repo)? 200 : 499
(if 499, wait |<------------- |
for approval) | |
|
Drone User |
| approval | Drone Runner
| ------------->| |
| | --------------------->|
| | (execution begins)
For more information on the validation trigger logic, see:
Documentation
Source Files