pre-commit-digitalocean

• 

  Green checkmark using all the pre-release branches and modified doctl

Inspiration

While working on docker-phasik.tv, I was presented with the problem of how to validate a DigitalOcean App Schema YAML file. I did not want to expose any DigitalOcean API tokens in the GitHub Actions CI/CD environment. However, the command only worked when passed a token and after running doctl auth init. This led me down the path of making changes to at least 3 other projects to implement an offline mode App Spec validation feature.

What it does

pre-commit-digitalocean is a set of pre-commit hooks to validate DigitalOcean App Spec files (e.g. .do/app.yaml).

The project currently provides 2 hooks:

• doctl-app-spec-validate: This validates the DigitalOcean App Spec file in the usual way (e.g. doctl app spec validate)
  • Note that this requires an API token, plus access to the internet to contact DigitalOcean's API
  • Apparently this runs the equivalent of doctl app spec propose as part of the checks (when --schema-only is not passed`
  • When --schema-only is passed, it still requites an API token although the YAML is actually only checked for ability to meet the data structure schema.
• doctl-app-spec-validate-offline: This uses a brand new command that I submitted to doctl in digitalocean/doctl#1450
  • Does NOT require an API token 🎉
  • Does NOT require internet access to validate an App Schema either! 🎉

The new offline mode requires the following pull-requests to be merged:

• trinitronx/action-doctl@add-no-auth-option-pre-release-fork
• LyraPhase/pre-commit-digitalocean@v0.1.0
• trinitronx/doctl@v1.101.0-pre.git.69cd972159a0

How we built it

I first started down the rabbit hole of what it might take to implement simple App Spec validation. This led me to first build a proof-of-concept hook using the usual doctl app spec validate. I then realized that this would require passing API tokens and potentially exposing those secrets in the CI/CD environment. After that realization, I ended up making changes to the action-doctl project in order to make passing the token and running doctl auth optional.

After those parts were implemented, I realized that the underlying doctl command always required an API token to have been setup, even for the presumably offline --schema-only validate command. Once that issue was found, I worked on implementing a secondary validate-offline command inside doctl.

Putting all the pieces together produced a wonderful result! A new CI/CD workflow that could validate the DigitalOcean app.yaml file schema without an internet connection or API token required.

Challenges we ran into

This prototype hook required changes in 3 or 4 different languages (if counting GitHub actions YAML). doctl is written in Go, action-doctl is written in TypeScript/JavaScript, and the pre-commit-digitalocean hooks are written in POSIX shell.

Accomplishments that we're proud of

Everything works together nicely! This should also close a few issues across these projects once all the pull requests are merged.

What we learned

Underlying the first problem to solve are sometimes 3 or 4 other problems (and projects) that need changes for a fully working solution to be put together. Lots of moving parts means lots of testing each piece.

What's next for pre-commit-digitalocean

• Code reviews from DigitalOcean
• Merging PRs
• Switching docker-phasik.tv back off of pre-release PoC branches to use those merged PRs once they make it to the main branches

Built With

• github-actions
• go
• javascript
• posix
• shell
• typescript
• yaml