web-deploy-plugin/run

#!/usr/bin/env python3
import os
import tempfile
import shutil
import glob
from subprocess import run

SOURCE = os.environ.get("PLUGIN_SOURCE", ".")
TARGET = os.environ['PLUGIN_TARGET']

def apply_key_permissions(keyfile):
    os.chmod(keyfile, 0o600)
    if not os.name == "nt":
        return

    username = os.environ['USERNAME']
    users_directory = "C:\\Users"
    run(["Icacls", keyfile, "/c", "/t", "/Inheritance:d"])
    run(["TakeOwn", "/F", keyfile])
    run(["Icacls", keyfile, "/c", "/t", "/Grant:r", f"{username}:F"])
    run(["Icacls", keyfile, "/c", "/t", "/Remove:g", "Administrator", "Authenticated Users", "BUILTIN\\Administrators", "BUILTIN", "Everyone", "System", "Users"])
    for other_user in [user for user in os.listdir(users_directory) if not user == username]:
        run(["Icacls", keyfile, "/c", "/t", "/Remove:g", other_user])
    run(["Icacls", keyfile])

def deploy(source, target, auth):
    for source_file in glob.glob(source):
        deploy_file(source_file, target, auth)

def deploy_file(source_file, target, auth):
    print(f">> {source_file} -> {target}")
    if target.startswith("http://") or target.startswith("https://"):
        run(["curl", "--user", auth, target, "--upload-file", source_file], check=True)
    else:
        run(["scp", "-i", auth, "-o", "StrictHostKeyChecking=no", "-o", "PasswordAuthentication=no", "-r", source_file, target], check=True)

temp_file_name = None
auth = None
try:
    if 'PLUGIN_KEY' in os.environ:
        with tempfile.NamedTemporaryFile(delete=False) as deploy_key:
            temp_file_name = deploy_key.name
            deploy_key.write(os.environ['PLUGIN_KEY'].encode())
            deploy_key.write(b"\n")
            deploy_key.close()

            apply_key_permissions(deploy_key.name)
            auth = deploy_key.name
    else:
        auth = os.environ['PLUGIN_AUTHENTICATION']

    deploy(SOURCE, TARGET, auth)
finally:
    if temp_file_name is not None:
        os.remove(temp_file_name)