fix: harden phase auth and failure handling

phase9_security.sh

@@ -29,16 +29,44 @@ phase_header 9 "Security Scanning"
 
 REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
 TEMP_BASE="/tmp/gitea-migration-security"
+GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
+ASKPASS_SCRIPT=""
 
 cleanup() {
   rm -rf "$TEMP_BASE"
+  if [[ -n "$ASKPASS_SCRIPT" ]]; then
+    rm -f "$ASKPASS_SCRIPT"
+  fi
 }
 trap cleanup EXIT
 
+setup_git_auth() {
+  ASKPASS_SCRIPT=$(mktemp)
+  cat > "$ASKPASS_SCRIPT" <<'EOF'
+#!/usr/bin/env sh
+case "$1" in
+  *sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
+  *assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
+  *) printf '\n' ;;
+esac
+EOF
+  chmod 700 "$ASKPASS_SCRIPT"
+}
+
+git_with_auth() {
+  GIT_TERMINAL_PROMPT=0 \
+  GIT_ASKPASS="$ASKPASS_SCRIPT" \
+  GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
+  GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
+  "$@"
+}
+
 SUCCESS=0
 SKIPPED=0
 FAILED=0
 
+setup_git_auth
+
 for repo in "${REPOS[@]}"; do
   log_info "--- Processing repo: ${repo} ---"
 
@@ -58,9 +86,9 @@ for repo in "${REPOS[@]}"; do
   rm -rf "$CLONE_DIR"
   mkdir -p "$CLONE_DIR"
 
-  CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
+  REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
   log_info "Cloning ${repo}..."
-  git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
+  git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
 
   # -------------------------------------------------------------------------
   # Step 2: Render security workflow template
@@ -82,7 +110,7 @@ for repo in "${REPOS[@]}"; do
   git config user.email "migration@gitea.local"
   git add .gitea/workflows/security-scan.yml
   git commit -q -m "Add security scanning workflow (Semgrep + Trivy + Gitleaks)"
-  git push -q origin HEAD
+  git_with_auth git push -q origin HEAD
   cd "$SCRIPT_DIR"
 
   log_success "Security workflow deployed to ${repo}"