gitlab Webhook trigger production .php url to pull files from Master branch - is it safe & correct?

Question

this is my first time exploring webhook & autodeploy from gitlab to production server ( digital ocean )

I'll trigger an url ( http://example.com/git/hook/pull-master.php ) on webhook whenever I pushed files from my local machine.

and below are the codes of pull-master.php :

$cmd = "git pull https://usr:pwd@gitlab.com/johndoe/project.git master"; echo shell_exec($cmd);

May I know

Above autodeploy method secure?
Can production server have .git folders? assuming the project directory in .git approx. 100MB ~ 500MB

Are above autodeploy method safe? is this the usual way how developer autodeploy codes to their staging/production server?

It's really really bad to have `.git` folders in production: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ — Brennen Smith, Jan 17 '17 at 20:20

score 0 · Answer 1 · answered May 06 '18 at 05:27

0

I think this should be fine as long as you prevent your .git directory from being accessed publicly.

Check out https://gist.github.com/nichtich/5290675#file-deploy-php for a more in depth version of what you're doing.

answered May 06 '18 at 05:27

Tyler