After receiving some recommendations on this post, I’ve started building an extension that’ll disable all pull requests on a global level.
I’ve got pretty much everything figured out, except I can’t figure out how to verify the secret shared between Drone and the extension.
The docs mention checking out this page, but I’m not really getting anywhere with it, and I’m still quite clueless on where I should go.
I’ve attempted to look at a few example extensions, including the Jsonnnet and Paths Changed ones, but I’m not seeing anything on where signatures are verified.
Is there any way I could do it with the openssl CLI tool? I’m attempting to follow this post on Stack Overflow, but the results aren’t matching.
From the HTTP request Drone CI sends, would anyone know what values would go where?
POST / HTTP/1.1
Host: example.com
User-Agent: Go-http-client/1.1
Content-Length: 100
Accept: application/vnd.drone.validate.v1+json
Accept-Encoding: identity
Content-Type: application/json
Date: Wed, 09 Jun 2021 01:25:07 GMT
Digest: SHA-256=part1/part2+part3=
Signature: keyId="hmac-key",algorithm="hmac-sha256",signature="part1/part2=",headers="accept accept-encoding content-type date digest"
Update: For reference, this Stack Overflow post got me to a solution.