privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden phase auth and failure handling

Browse Source
This commit is contained in:
S
2026-02-28 22:09:21 -05:00
parent 0e0aeda658
commit 5ce3a234f3
6 changed files with 132 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
phase5_migrate_pipelines.sh
View File

@@ -26,17 +26,46 @@ phase_header 5 "Migrate Pipelines (GitHub → Gitea Actions)"
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME") REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
TEMP_BASE="/tmp/gitea-migration" TEMP_BASE="/tmp/gitea-migration"
MIGRATION_HEADER="# Migrated from GitHub Actions — review for Gitea compatibility" MIGRATION_HEADER="# Migrated from GitHub Actions — review for Gitea compatibility"
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
ASKPASS_SCRIPT=""
# Clean up temp directory on exit (even on failure) # Clean up temp directory on exit (even on failure)
cleanup() { cleanup() {
rm -rf "$TEMP_BASE" rm -rf "$TEMP_BASE"
if [[ -n "$ASKPASS_SCRIPT" ]]; then
rm -f "$ASKPASS_SCRIPT"
fi
} }
trap cleanup EXIT trap cleanup EXIT
# Use ephemeral askpass auth so tokens are never embedded in git remote URLs.
setup_git_auth() {
ASKPASS_SCRIPT=$(mktemp)
cat > "$ASKPASS_SCRIPT" <<'EOF'
#!/usr/bin/env sh
case "$1" in
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
*) printf '\n' ;;
esac
EOF
chmod 700 "$ASKPASS_SCRIPT"
}
git_with_auth() {
GIT_TERMINAL_PROMPT=0 \
GIT_ASKPASS="$ASKPASS_SCRIPT" \
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
"$@"
}
SUCCESS=0 SUCCESS=0
SKIPPED=0 SKIPPED=0
FAILED=0 FAILED=0
setup_git_auth
for repo in "${REPOS[@]}"; do for repo in "${REPOS[@]}"; do
log_info "--- Processing repo: ${repo} ---" log_info "--- Processing repo: ${repo} ---"
@@ -58,11 +87,9 @@ for repo in "${REPOS[@]}"; do
rm -rf "$CLONE_DIR" rm -rf "$CLONE_DIR"
mkdir -p "$CLONE_DIR" mkdir -p "$CLONE_DIR"
# Construct clone URL with embedded token for auth REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
# Format: http://token:TOKEN@host:port/org/repo.git
CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
log_info "Cloning ${repo}..." log_info "Cloning ${repo}..."
git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------
# Step 2: Check for GitHub workflows # Step 2: Check for GitHub workflows
@@ -137,7 +164,7 @@ for repo in "${REPOS[@]}"; do
git config user.email "migration@gitea.local" git config user.email "migration@gitea.local"
git add .gitea/ git add .gitea/
git commit -q -m "Migrate workflows to Gitea Actions" git commit -q -m "Migrate workflows to Gitea Actions"
git push -q origin HEAD git_with_auth git push -q origin HEAD
cd "$SCRIPT_DIR" cd "$SCRIPT_DIR"
log_success "Workflows migrated for ${repo}" log_success "Workflows migrated for ${repo}"

34
phase5_teardown.sh
View File

@@ -19,12 +19,38 @@ log_warn "=== Phase 5 Teardown: Remove Gitea Workflows ==="
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME") REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
TEMP_BASE="/tmp/gitea-migration-teardown" TEMP_BASE="/tmp/gitea-migration-teardown"
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
ASKPASS_SCRIPT=""
cleanup() { cleanup() {
rm -rf "$TEMP_BASE" rm -rf "$TEMP_BASE"
if [[ -n "$ASKPASS_SCRIPT" ]]; then
rm -f "$ASKPASS_SCRIPT"
fi
} }
trap cleanup EXIT trap cleanup EXIT
setup_git_auth() {
ASKPASS_SCRIPT=$(mktemp)
cat > "$ASKPASS_SCRIPT" <<'EOF'
#!/usr/bin/env sh
case "$1" in
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
*) printf '\n' ;;
esac
EOF
chmod 700 "$ASKPASS_SCRIPT"
}
git_with_auth() {
GIT_TERMINAL_PROMPT=0 \
GIT_ASKPASS="$ASKPASS_SCRIPT" \
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
"$@"
}
printf 'This will remove .gitea/workflows/ from all repos. Continue? [y/N] ' printf 'This will remove .gitea/workflows/ from all repos. Continue? [y/N] '
read -r confirm read -r confirm
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
@@ -32,6 +58,8 @@ if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
exit 0 exit 0
fi fi
setup_git_auth
for repo in "${REPOS[@]}"; do for repo in "${REPOS[@]}"; do
log_info "--- Processing: ${repo} ---" log_info "--- Processing: ${repo} ---"
@@ -45,8 +73,8 @@ for repo in "${REPOS[@]}"; do
CLONE_DIR="${TEMP_BASE}/${repo}" CLONE_DIR="${TEMP_BASE}/${repo}"
rm -rf "$CLONE_DIR" rm -rf "$CLONE_DIR"
CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
if [[ -d "${CLONE_DIR}/.gitea/workflows" ]]; then if [[ -d "${CLONE_DIR}/.gitea/workflows" ]]; then
rm -rf "${CLONE_DIR}/.gitea/workflows" rm -rf "${CLONE_DIR}/.gitea/workflows"
@@ -55,7 +83,7 @@ for repo in "${REPOS[@]}"; do
git config user.email "migration@gitea.local" git config user.email "migration@gitea.local"
git add -A git add -A
git commit -q -m "Remove Gitea Actions workflows (teardown)" git commit -q -m "Remove Gitea Actions workflows (teardown)"
git push -q origin HEAD git_with_auth git push -q origin HEAD
cd "$SCRIPT_DIR" cd "$SCRIPT_DIR"
log_success "Removed .gitea/workflows/ from ${repo}" log_success "Removed .gitea/workflows/ from ${repo}"
else else

2
phase6_github_mirrors.sh
View File

@@ -18,7 +18,7 @@ source "${SCRIPT_DIR}/lib/common.sh"
load_env load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \ require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
GITHUB_USERNAME GITHUB_MIRROR_TOKEN GITHUB_MIRROR_INTERVAL \ GITHUB_USERNAME GITHUB_TOKEN GITHUB_MIRROR_TOKEN GITHUB_MIRROR_INTERVAL \
REPO_1_NAME REPO_2_NAME REPO_3_NAME REPO_1_NAME REPO_2_NAME REPO_3_NAME
phase_header 6 "GitHub Push Mirrors" phase_header 6 "GitHub Push Mirrors"

6
phase8_cutover.sh
View File

@@ -369,6 +369,7 @@ fi
log_step 11 "Marking GitHub repos as offsite backup..." log_step 11 "Marking GitHub repos as offsite backup..."
init_phase8_state_store init_phase8_state_store
GITHUB_REPO_UPDATE_FAILURES=0
for repo in "${REPOS[@]}"; do for repo in "${REPOS[@]}"; do
# Fetch repo metadata (single API call) # Fetch repo metadata (single API call)
REPO_DATA=$(github_api GET "/repos/${GITHUB_USERNAME}/${repo}" 2>/dev/null || echo "{}") REPO_DATA=$(github_api GET "/repos/${GITHUB_USERNAME}/${repo}" 2>/dev/null || echo "{}")
@@ -403,6 +404,7 @@ for repo in "${REPOS[@]}"; do
log_success "Marked GitHub repo as mirror: ${repo}" log_success "Marked GitHub repo as mirror: ${repo}"
else else
log_error "Failed to update GitHub repo: ${repo}" log_error "Failed to update GitHub repo: ${repo}"
GITHUB_REPO_UPDATE_FAILURES=$((GITHUB_REPO_UPDATE_FAILURES + 1))
fi fi
# Disable GitHub Pages if enabled (Pages can incur bandwidth costs) # Disable GitHub Pages if enabled (Pages can incur bandwidth costs)
@@ -413,5 +415,9 @@ done
# Summary # Summary
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
printf '\n' printf '\n'
if [[ "$GITHUB_REPO_UPDATE_FAILURES" -gt 0 ]]; then
log_error "Phase 8 failed: ${GITHUB_REPO_UPDATE_FAILURES} GitHub repo update(s) failed"
exit 1
fi
log_success "Phase 8 complete — Gitea is live at https://${GITEA_DOMAIN}" log_success "Phase 8 complete — Gitea is live at https://${GITEA_DOMAIN}"
log_info "GitHub repos marked as offsite backup. Push mirrors remain active." log_info "GitHub repos marked as offsite backup. Push mirrors remain active."

34
phase9_security.sh
View File

@@ -29,16 +29,44 @@ phase_header 9 "Security Scanning"
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME") REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
TEMP_BASE="/tmp/gitea-migration-security" TEMP_BASE="/tmp/gitea-migration-security"
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
ASKPASS_SCRIPT=""
cleanup() { cleanup() {
rm -rf "$TEMP_BASE" rm -rf "$TEMP_BASE"
if [[ -n "$ASKPASS_SCRIPT" ]]; then
rm -f "$ASKPASS_SCRIPT"
fi
} }
trap cleanup EXIT trap cleanup EXIT
setup_git_auth() {
ASKPASS_SCRIPT=$(mktemp)
cat > "$ASKPASS_SCRIPT" <<'EOF'
#!/usr/bin/env sh
case "$1" in
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
*) printf '\n' ;;
esac
EOF
chmod 700 "$ASKPASS_SCRIPT"
}
git_with_auth() {
GIT_TERMINAL_PROMPT=0 \
GIT_ASKPASS="$ASKPASS_SCRIPT" \
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
"$@"
}
SUCCESS=0 SUCCESS=0
SKIPPED=0 SKIPPED=0
FAILED=0 FAILED=0
setup_git_auth
for repo in "${REPOS[@]}"; do for repo in "${REPOS[@]}"; do
log_info "--- Processing repo: ${repo} ---" log_info "--- Processing repo: ${repo} ---"
@@ -58,9 +86,9 @@ for repo in "${REPOS[@]}"; do
rm -rf "$CLONE_DIR" rm -rf "$CLONE_DIR"
mkdir -p "$CLONE_DIR" mkdir -p "$CLONE_DIR"
CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
log_info "Cloning ${repo}..." log_info "Cloning ${repo}..."
git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------
# Step 2: Render security workflow template # Step 2: Render security workflow template
@@ -82,7 +110,7 @@ for repo in "${REPOS[@]}"; do
git config user.email "migration@gitea.local" git config user.email "migration@gitea.local"
git add .gitea/workflows/security-scan.yml git add .gitea/workflows/security-scan.yml
git commit -q -m "Add security scanning workflow (Semgrep + Trivy + Gitleaks)" git commit -q -m "Add security scanning workflow (Semgrep + Trivy + Gitleaks)"
git push -q origin HEAD git_with_auth git push -q origin HEAD
cd "$SCRIPT_DIR" cd "$SCRIPT_DIR"
log_success "Security workflow deployed to ${repo}" log_success "Security workflow deployed to ${repo}"

34
phase9_teardown.sh
View File

@@ -20,12 +20,38 @@ log_warn "=== Phase 9 Teardown: Security Scanning ==="
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME") REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
TEMP_BASE="/tmp/gitea-migration-security-teardown" TEMP_BASE="/tmp/gitea-migration-security-teardown"
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
ASKPASS_SCRIPT=""
cleanup() { cleanup() {
rm -rf "$TEMP_BASE" rm -rf "$TEMP_BASE"
if [[ -n "$ASKPASS_SCRIPT" ]]; then
rm -f "$ASKPASS_SCRIPT"
fi
} }
trap cleanup EXIT trap cleanup EXIT
setup_git_auth() {
ASKPASS_SCRIPT=$(mktemp)
cat > "$ASKPASS_SCRIPT" <<'EOF'
#!/usr/bin/env sh
case "$1" in
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
*) printf '\n' ;;
esac
EOF
chmod 700 "$ASKPASS_SCRIPT"
}
git_with_auth() {
GIT_TERMINAL_PROMPT=0 \
GIT_ASKPASS="$ASKPASS_SCRIPT" \
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
"$@"
}
printf 'This will remove security-scan.yml from all repos. Continue? [y/N] ' printf 'This will remove security-scan.yml from all repos. Continue? [y/N] '
read -r confirm read -r confirm
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
@@ -33,6 +59,8 @@ if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
exit 0 exit 0
fi fi
setup_git_auth
for repo in "${REPOS[@]}"; do for repo in "${REPOS[@]}"; do
log_info "--- Processing: ${repo} ---" log_info "--- Processing: ${repo} ---"
@@ -46,8 +74,8 @@ for repo in "${REPOS[@]}"; do
CLONE_DIR="${TEMP_BASE}/${repo}" CLONE_DIR="${TEMP_BASE}/${repo}"
rm -rf "$CLONE_DIR" rm -rf "$CLONE_DIR"
CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then
rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml"
@@ -56,7 +84,7 @@ for repo in "${REPOS[@]}"; do
git config user.email "migration@gitea.local" git config user.email "migration@gitea.local"
git add -A git add -A
git commit -q -m "Remove security scanning workflow (teardown)" git commit -q -m "Remove security scanning workflow (teardown)"
git push -q origin HEAD git_with_auth git push -q origin HEAD
cd "$SCRIPT_DIR" cd "$SCRIPT_DIR"
log_success "Removed security-scan.yml from ${repo}" log_success "Removed security-scan.yml from ${repo}"
fi fi