How to securely trigger a git pull using a webhook?

Question

I have set up a github webhook to talk to my webserver api (server is apache2). I securely check for the github secret using the encryption of the payload, as specified on their help page.

When a push to master is done on the repo of the web application, a script (deploy.sh) is triggered via <?php exec . If I trigger this script manually, as root, everything is perfect. But of course, the user that triggers the script on normal circumstances is www-data.

My question is what is the best practice for www-data to do a git pull of the new repo? I have mostly discarded doing exec sudo, but maybe that is the way. One problem of the many that i'm facing with making www-data trigger a git pull is that the ~/.ssh/id_rsa file is only set up for root (when building the server image on docker). Its a read-only ssh-key.

This is a legacy application so what really worries me is that through some php exploit someone could do the exec without being github. And from there escalate to get read access to the repo or something worse.

The question is really, what is the best practice to update a web application using a webhook

Answer 1

Solution was allowing www-data to sudo only the deploy command:

echo 'www-data ALL=(ALL) NOPASSWD: /var/my-cool-scripts/deploy.sh' | sudo EDITOR='tee -a' visudo

on php:

exec('sudo -n /var/my-cool-scripts/deploy.sh')

PS: actually used this neat trick to know the execution was okay

$did_the_script_run_okay = exec('sudo -n /var/my-cool-scripts/deploy.sh') == "okay" || false;

last line of deploy.sh:

echo "okay"

the exec command returns the last line echoed by the command , so i check that to ensure complete execution