wireguard-quick-action/main.js at main · NeoLabHQ/wireguard-quick-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// Main entry for the wireguard-quick-action GitHub Action.
//
// This file is deliberately THIN. All real logic — apt install, config-file
// writing, and `wg-quick up` — lives in ./wg-up.sh. This file only:
//
//   1. Validates the required WG_CONFIG_FILE input is present.
//   2. Ensures ./wg-up.sh is executable (defensive; some checkouts lose the
//      exec bit, e.g. when the repo is archived + re-extracted).
//   3. Spawns ./wg-up.sh with the secret passed via env var (NOT argv, so
//      the private key never shows up in `ps`).
//   4. Propagates the script's exit code.
//
// Uses only Node.js built-in modules — no npm dependencies, no bundling.

'use strict';

const fs = require('fs');
const os = require('os');
const path = require('path');
const { execFileSync } = require('child_process');

const SCRIPT = path.join(__dirname, 'wg-up.sh');

// Path the bash script writes to. Kept in sync with wg-up.sh/wg-down.sh via
// the WG_CONFIG_PATH env var, and persisted to GITHUB_STATE so the post step
// can locate it even if we ever relocate it off the workspace root.
const CONFIG_PATH = './wg0.conf';

/** Emit a GitHub Actions error annotation and exit non-zero. */
const failAction = (message) => {
    process.stdout.write(`::error::${message}${os.EOL}`);
    process.exit(1);
};

const main = () => {
    const wgConfig = process.env.INPUT_WG_CONFIG_FILE;

    if (!wgConfig || wgConfig.length === 0) {
        failAction('Input WG_CONFIG_FILE is required but was empty.');
        return;
    }

    // Defensive chmod in case the exec bit didn't survive checkout.
    try {
        fs.chmodSync(SCRIPT, 0o755);
    } catch (err) {
        // Non-fatal: bash will still run the script via `bash <path>`.
        process.stdout.write(
            `[wireguard-quick-action] chmod +x ${SCRIPT} failed (ignored): ${err.message}${os.EOL}`
        );
    }

    // Spawn the bash script. Secret goes through the environment, never argv.
    execFileSync('bash', [SCRIPT], {
        stdio: 'inherit',
        env: {
            ...process.env,
            WG_CONFIG_FILE: wgConfig,
            WG_CONFIG_PATH: CONFIG_PATH,
        },
    });

    // Persist the config path for the post step via GITHUB_STATE. The runner
    // exposes this back as process.env.STATE_wg_config_path in post.js.
    // Key is case-sensitive; must match the STATE_wg_config_path read in post.js.
    const stateFile = process.env.GITHUB_STATE;
    if (stateFile) {
        fs.appendFileSync(stateFile, `wg_config_path=${CONFIG_PATH}${os.EOL}`);
    }
};

try {
    main();
} catch (err) {
    // execFileSync throws on non-zero exit; its .message already includes
    // the failing command. Surface and fail the step.
    failAction(err && err.message ? err.message : String(err));
}