From 4dc9eae9c9f5e938d39977de7efb7e5f5e0ee1fc Mon Sep 17 00:00:00 2001 From: phorcys420 <57866459+phorcys420@users.noreply.github.com> Date: Fri, 3 Nov 2023 18:42:45 +0100 Subject: [PATCH] feat: add git-commit-signing module (#94) * feat: add git-commit-signing module * feat(git-commit-signing): check for git and jq * fix(git-commit-signing): only use icon once * fix(git-commit-signing): fix typo in README Co-authored-by: Muhammad Atif Ali * bun fmt * chore: clarify readme SSH key paragraph * fix: add `curl` as dependency * feat: download keys to ~/.ssh/git-commit-signing * feat: add conflict disclaimer --------- Co-authored-by: Muhammad Atif Ali Co-authored-by: Atif Ali --- git-commit-signing/README.md | 24 +++++++++++++++++++++ git-commit-signing/main.tf | 25 ++++++++++++++++++++++ git-commit-signing/run.sh | 41 ++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 git-commit-signing/README.md create mode 100644 git-commit-signing/main.tf create mode 100755 git-commit-signing/run.sh diff --git a/git-commit-signing/README.md b/git-commit-signing/README.md new file mode 100644 index 0000000..38a02c0 --- /dev/null +++ b/git-commit-signing/README.md @@ -0,0 +1,24 @@ +--- +display_name: Git commit signing +description: Configures Git to sign commits using your Coder SSH key +icon: ../.icons/git.svg +maintainer_github: phorcys420 +verified: false +tags: [helper, git] +--- + +# git-commit-signing + +This module downloads your SSH key from Coder and uses it to sign commits with Git. +It requires `curl` and `jq` to be installed inside your workspace. + +Please observe that using the SSH key that's part of your Coder account for commit signing, means that in the event of a breach of your Coder account, or a malicious admin, someone could perform commit signing pretending to be you. + +This module has a chance of conflicting with the user's dotfiles / the personalize module if one of those has configuration directives that overwrite this module's / each other's git configuration. + +```hcl +module "git-commit-signing" { + source = "https://registry.coder.com/modules/git-commit-signing" + agent_id = coder_agent.example.id +} +``` diff --git a/git-commit-signing/main.tf b/git-commit-signing/main.tf new file mode 100644 index 0000000..9be7bac --- /dev/null +++ b/git-commit-signing/main.tf @@ -0,0 +1,25 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + coder = { + source = "coder/coder" + version = ">= 0.12" + } + } +} + +variable "agent_id" { + type = string + description = "The ID of a Coder agent." +} + +resource "coder_script" "git-commit-signing" { + display_name = "Git commit signing" + icon = "https://raw.githubusercontent.com/coder/modules/main/.icons/git.svg" + + script = file("${path.module}/run.sh") + run_on_start = true + + agent_id = var.agent_id +} diff --git a/git-commit-signing/run.sh b/git-commit-signing/run.sh new file mode 100755 index 0000000..57c5139 --- /dev/null +++ b/git-commit-signing/run.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env sh + +if ! command -v git > /dev/null; then + echo "git is not installed" + exit 1 +fi + +if ! command -v curl > /dev/null; then + echo "curl is not installed" + exit 1 +fi + +if ! command -v jq > /dev/null; then + echo "jq is not installed" + exit 1 +fi + +mkdir -p ~/.ssh/git-commit-signing + +echo "Downloading SSH key" + +ssh_key=$(curl --request GET \ + --url "${CODER_AGENT_URL}api/v2/workspaceagents/me/gitsshkey" \ + --header "Coder-Session-Token: ${CODER_AGENT_TOKEN}") + +jq --raw-output ".public_key" > ~/.ssh/git-commit-signing/coder.pub < ~/.ssh/git-commit-signing/coder <