Drone CI 中文文档

GitHub Teams

Drone provides an official extension to limit system access based on GitHub organization and team membership. You can use this extension to configure access policies, such as:

  • If user is organization member, grant access
  • If user is organization admin, grant admin access
  • If user is member of designated team, grant admin access (optional)
  • Else deny access

Configuration

  • DRONE_GITHUB_ENDPOINT
    Github API base URL. This is only required when integrating with GitHub Enterprise. The URL format should be http(s)://[hostname]/api/v3
  • DRONE_GITHUB_TOKEN
    GitHub API personal access token. This token must have adequate permissions to access organization and team endpoints.
  • DRONE_GITHUB_ORG
    Comma-separated lists of organizations. If defined, the user must be a member of at least one organization in the list.
  • DRONE_GITHUB_TEAM
    Comma-separated lists of teams. If defined, users that are members of this team are granted administrative access.

Installation

  1. Create a shared secret.

    $ openssl rand -hex 16
    bea26a2221fd8090ea38720fc445eca6
    
  2. Download and run the extension.

    $ docker run -d \
    --publish=3000:3000 \
    --env=DRONE_DEBUG=true \
    --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \
    --env=DRONE_GITHUB_TOKEN=3da541559918a808c2402bba5012f6c6 \
    --env=DRONE_GITHUB_ORG=acme \
    --env=DRONE_GITHUB_TEAM=admins \
    --restart=always \
    --name=admitter drone/drone-admit-members
    
  3. Update your Drone server configuration to include the extension address and the shared secret.

    DRONE_ADMISSION_PLUGIN_ENDPOINT=http://1.2.3.4:3000
    DRONE_ADMISSION_PLUGIN_SECRET=bea26a2221fd8090ea38720fc445eca6
    

验证安装结果

You can verify the extension is configured and is processing requests using the command line utility.

  1. Provide the command line utility with the extension endpoint and secret.

    export DRONE_ADMISSION_ENDPOINT=http://localhost:3000
    export DRONE_ADMISSION_SECRET=bea26a2221fd8090ea38720fc445eca6
    
  2. Use the command line utility to check if a user is admitted:

    drone plugins admit octocat
    

Customization

This extension is considered a reference implementation of an admission controller, and has limited scope. You are encouraged to fork and customize this extension as needed. You can find the source code at drone/drone-admit-members.