web-deploy-plugin/run

#!/usr/bin/env python3
import os
import tempfile
import shutil
import glob
from subprocess import run

SOURCE = os.environ.get("PLUGIN_SOURCE", ".")
TARGET = os.environ['PLUGIN_TARGET']

def apply_key_permissions(keyfile):
    os.chmod(keyfile, 0o600)
    if not os.name == "nt":
        return

    username = os.environ['USERNAME']
    users_directory = "C:\\Users"
    run(["Icacls", keyfile, "/c", "/t", "/Inheritance:d"])
    run(["TakeOwn", "/F", keyfile])
    run(["Icacls", keyfile, "/c", "/t", "/Grant:r", f"{username}:F"])
    run(["Icacls", keyfile, "/c", "/t", "/Remove:g", "Administrator", "Authenticated Users", "BUILTIN\\Administrators", "BUILTIN", "Everyone", "System", "Users"])
    for other_user in [user for user in os.listdir(users_directory) if not user == username]:
        run(["Icacls", keyfile, "/c", "/t", "/Remove:g", other_user])
    run(["Icacls", keyfile])

def deploy(source, target, keyfile):
    for source_file in glob.glob(source):
        print(f">> {source_file} -> {target}")
        run(["scp", "-i", keyfile, "-o", "StrictHostKeyChecking=no", "-o", "PasswordAuthentication=no", "-r", source_file, target], check=True)

temp_file_name = None
try:
    with tempfile.NamedTemporaryFile(delete=False) as deploy_key:
        temp_file_name = deploy_key.name
        deploy_key.write(os.environ['PLUGIN_KEY'].encode())
        deploy_key.write(b"\n")
        deploy_key.close()

        apply_key_permissions(deploy_key.name)
        deploy(SOURCE, TARGET, deploy_key.name)
finally:
    if temp_file_name is not None:
        os.remove(temp_file_name)