feat: add Phase 8 — Cutover (HTTPS + Archive GitHub)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
S
87
phase8_post_check.sh
Executable file
87
phase8_post_check.sh
Executable file
@@ -0,0 +1,87 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# =============================================================================
|
||||
# phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded
|
||||
# Checks:
|
||||
# 1. HTTPS works with valid cert
|
||||
# 2. HTTP redirects to HTTPS
|
||||
# 3. All repos accessible via HTTPS
|
||||
# 4. GitHub repos are archived
|
||||
# Exits 0 only if ALL checks pass.
|
||||
# =============================================================================
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
source "${SCRIPT_DIR}/lib/common.sh"
|
||||
|
||||
load_env
|
||||
require_vars GITEA_DOMAIN GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
|
||||
GITHUB_USERNAME GITHUB_TOKEN \
|
||||
REPO_1_NAME REPO_2_NAME REPO_3_NAME
|
||||
|
||||
log_info "=== Phase 8 Post-Check ==="
|
||||
|
||||
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
|
||||
PASS=0
|
||||
FAIL=0
|
||||
|
||||
run_check() {
|
||||
local description="$1"; shift
|
||||
if "$@" 2>/dev/null; then
|
||||
log_success "$description"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
log_error "FAIL: $description"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# Check 1: HTTPS works
|
||||
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \
|
||||
curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
|
||||
|
||||
# Check 2: HTTP redirects to HTTPS (returns 301)
|
||||
check_redirect() {
|
||||
local http_code
|
||||
http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
|
||||
[[ "$http_code" == "301" ]]
|
||||
}
|
||||
run_check "HTTP → HTTPS redirect (301)" check_redirect
|
||||
|
||||
# Check 3: SSL certificate is valid (not self-signed)
|
||||
check_ssl_cert() {
|
||||
# Verify openssl can connect and the cert is issued by a recognized CA
|
||||
local issuer
|
||||
issuer=$(echo | openssl s_client -connect "${GITEA_DOMAIN}:443" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
|
||||
# Check that the issuer is not empty (meaning cert is valid)
|
||||
[[ -n "$issuer" ]]
|
||||
}
|
||||
run_check "SSL certificate is valid" check_ssl_cert
|
||||
|
||||
# Check 4: All repos accessible via HTTPS
|
||||
for repo in "${REPOS[@]}"; do
|
||||
run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \
|
||||
curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
|
||||
done
|
||||
|
||||
# Check 5: GitHub repos are archived
|
||||
for repo in "${REPOS[@]}"; do
|
||||
check_archived() {
|
||||
local is_archived
|
||||
is_archived=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.archived')
|
||||
[[ "$is_archived" == "true" ]]
|
||||
}
|
||||
run_check "GitHub repo ${repo} is archived" check_archived "$repo"
|
||||
done
|
||||
|
||||
# Summary
|
||||
printf '\n'
|
||||
log_info "Results: ${PASS} passed, ${FAIL} failed"
|
||||
|
||||
if [[ $FAIL -gt 0 ]]; then
|
||||
log_error "Phase 8 post-check FAILED"
|
||||
exit 1
|
||||
else
|
||||
log_success "Phase 8 post-check PASSED — Gitea is live with HTTPS"
|
||||
exit 0
|
||||
fi
|
||||
Reference in New Issue
Block a user