fix: address multiple bugs from code review

- teardown_all.sh: replace `yes |` pipeline with `< <(yes)` process
  substitution to avoid SIGPIPE (exit 141) false failures under pipefail
- phase6_teardown.sh: extract push mirror `.id` instead of `.remote_name`
  to match the DELETE /push_mirrors/{id} API contract
- phase5_migrate_pipelines.sh: expand sed regex from `[a-z_]*` to
  `[a-z_.]*` to handle nested GitHub contexts like
  `github.event.pull_request.number`
- lib/common.sh: render_template now requires explicit variable list to
  prevent envsubst from eating Nginx variables ($host, $proxy_add_...)
- backup scripts: remove MacBook relay, use direct Unraid↔Fedora SCP;
  fix dump path to write to /data/ (mounted volume) instead of /tmp/
  (container-only); add unzip -t integrity verification
- preflight.sh: add --skip-port-checks flag for resuming with
  --start-from (ports already bound by earlier phases)
- run_all.sh: update run_step to pass extra args; use --skip-port-checks
  when --start-from > 1
- post-checks (phase4/7/9): wrap API calls in helper functions with
  >/dev/null redirection instead of passing -o /dev/null as API data
- phase8: replace GitHub archiving with [MIRROR] description marking
  and disable wiki/projects/Pages (archived repos reject push mirrors)
- restore_to_primary.sh: add require_vars for Fedora SSH variables

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backup/backup_primary.sh

@@ -12,10 +12,11 @@ set -euo pipefail
 #
 # Steps:
 #   1. Run `gitea dump` inside the container to create a zip archive
-#   2. SCP the dump from Unraid to Fedora (offsite storage)
-#   3. Clean up the dump from Unraid /tmp
-#   4. Prune old backups beyond retention count
-#   5. Print backup summary
+#   2. SCP the dump directly from Unraid to Fedora (no MacBook relay)
+#   3. Verify archive integrity on Fedora
+#   4. Clean up the dump from Unraid /tmp
+#   5. Prune old backups beyond retention count
+#   6. Print backup summary
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
@@ -31,50 +32,56 @@ log_info "=== Gitea Primary Backup ==="
 # ---------------------------------------------------------------------------
 # Step 1: Run gitea dump inside the container
 # The -u git flag is important — gitea dump must run as the git user who
-# owns the repository files. The dump is created in /tmp inside the container
-# which maps to /tmp on the host via the default Docker tmpfs mount.
+# owns the repository files. The dump is written to /data/ inside the
+# container, which is mounted from ${DATA_PATH}/data on the host.
+# Writing to /data/ (mounted volume) instead of /tmp/ (container-only
+# filesystem) ensures the dump is accessible from the host for SCP.
 # ---------------------------------------------------------------------------
+DATA_PATH="$UNRAID_GITEA_DATA_PATH"
 TIMESTAMP=$(date +%Y%m%d-%H%M%S)
 DUMP_FILENAME="gitea-dump-${TIMESTAMP}.zip"
-DUMP_REMOTE_PATH="/tmp/${DUMP_FILENAME}"
+DUMP_CONTAINER_PATH="/data/${DUMP_FILENAME}"
+DUMP_HOST_PATH="${DATA_PATH}/data/${DUMP_FILENAME}"
 
 log_info "Creating Gitea dump on Unraid..."
 ssh_exec UNRAID "docker exec -u git gitea gitea dump \
   -c /data/gitea/conf/app.ini \
-  -f '${DUMP_REMOTE_PATH}'"
+  -f '${DUMP_CONTAINER_PATH}'"
 log_success "Dump created: ${DUMP_FILENAME}"
 
 # ---------------------------------------------------------------------------
-# Step 2: Create backup storage directory on Fedora and transfer dump
-# The dump goes from Unraid → local machine → Fedora because direct
-# Unraid→Fedora SCP may not have SSH keys set up. Using the MacBook as
-# a relay is more reliable with our existing SSH config.
+# Step 2: Transfer dump directly from Unraid to Fedora
+# Uses SSH from Unraid to SCP the file to Fedora. This avoids relaying
+# through the MacBook, which would be slow for large dumps and requires
+# the MacBook to be online.
 # ---------------------------------------------------------------------------
 log_info "Transferring dump to Fedora backup storage..."
 ssh_exec FEDORA "mkdir -p '${BACKUP_STORAGE_PATH}'"
 
-# SCP from Unraid to local temp, then to Fedora
-LOCAL_TMP=$(mktemp -d)
-scp_to_local() {
-  local ip_var="UNRAID_IP" user_var="UNRAID_SSH_USER" port_var="UNRAID_SSH_PORT"
-  local ip="${!ip_var:-}" user="${!user_var:-}" port="${!port_var:-22}"
-  scp -o ConnectTimeout=10 -o BatchMode=yes -P "$port" \
-    "${user}@${ip}:${DUMP_REMOTE_PATH}" "${LOCAL_TMP}/${DUMP_FILENAME}"
-}
-scp_to_local
-scp_to FEDORA "${LOCAL_TMP}/${DUMP_FILENAME}" "${BACKUP_STORAGE_PATH}/${DUMP_FILENAME}"
-rm -rf "$LOCAL_TMP"
+FEDORA_PORT="${FEDORA_SSH_PORT:-22}"
+ssh_exec UNRAID "scp -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new \
+  -o BatchMode=yes -P '${FEDORA_PORT}' \
+  '${DUMP_HOST_PATH}' '${FEDORA_SSH_USER}@${FEDORA_IP}:${BACKUP_STORAGE_PATH}/${DUMP_FILENAME}'"
 log_success "Dump transferred to Fedora: ${BACKUP_STORAGE_PATH}/${DUMP_FILENAME}"
 
 # ---------------------------------------------------------------------------
-# Step 3: Clean up dump from Unraid /tmp
+# Step 3: Verify archive integrity on Fedora
+# CRC-checks every file in the zip. If corrupt, set -e aborts before
+# pruning old (known-good) backups.
+# ---------------------------------------------------------------------------
+log_info "Verifying archive integrity..."
+ssh_exec FEDORA "unzip -t '${BACKUP_STORAGE_PATH}/${DUMP_FILENAME}'" >/dev/null
+log_success "Archive integrity verified"
+
+# ---------------------------------------------------------------------------
+# Step 4: Clean up dump from Unraid /tmp
 # No reason to keep the dump on Unraid — it's on Fedora now.
 # ---------------------------------------------------------------------------
-ssh_exec UNRAID "rm -f '${DUMP_REMOTE_PATH}'"
+ssh_exec UNRAID "rm -f '${DUMP_HOST_PATH}'"
 log_info "Cleaned up dump from Unraid"
 
 # ---------------------------------------------------------------------------
-# Step 4: Prune old backups beyond retention count
+# Step 5: Prune old backups beyond retention count
 # Lists all gitea-dump-*.zip files sorted by time (newest first), then
 # removes everything beyond BACKUP_RETENTION_COUNT.
 # ---------------------------------------------------------------------------
@@ -85,7 +92,7 @@ REMAINING=$(ssh_exec FEDORA "ls -1 '${BACKUP_STORAGE_PATH}'/gitea-dump-*.zip 2>/
 log_info "Backups remaining: ${REMAINING}"
 
 # ---------------------------------------------------------------------------
-# Step 5: Summary
+# Step 6: Summary
 # ---------------------------------------------------------------------------
 DUMP_SIZE=$(ssh_exec FEDORA "du -h '${BACKUP_STORAGE_PATH}/${DUMP_FILENAME}'" | awk '{print $1}')
 

backup/restore_to_primary.sh

@@ -65,7 +65,7 @@ fi
 # ---------------------------------------------------------------------------
 # Step 1: Transfer archive to Unraid /tmp if needed
 # If the archive is a local file, SCP it directly. If it's on Fedora,
-# we relay through the local machine.
+# SCP directly from Fedora to Unraid (no MacBook relay).
 # ---------------------------------------------------------------------------
 log_step 1 "Preparing archive..."
 ARCHIVE_NAME=$(basename "$ARCHIVE_PATH")
@@ -76,16 +76,13 @@ if [[ -f "$ARCHIVE_PATH" ]]; then
   log_info "Uploading local archive to Unraid..."
   scp_to UNRAID "$ARCHIVE_PATH" "$UNRAID_ARCHIVE"
 else
-  # Assume path is on Fedora — relay through local machine
+  # Assume path is on Fedora — SCP directly from Fedora to Unraid
+  require_vars FEDORA_IP FEDORA_SSH_USER UNRAID_IP UNRAID_SSH_USER
   log_info "Transferring archive from Fedora to Unraid..."
-  LOCAL_TMP=$(mktemp -d)
-  # SCP from Fedora to local
-  ip="${FEDORA_IP:-}" user="${FEDORA_SSH_USER:-}" port="${FEDORA_SSH_PORT:-22}"
-  scp -o ConnectTimeout=10 -o BatchMode=yes -P "$port" \
-    "${user}@${ip}:${ARCHIVE_PATH}" "${LOCAL_TMP}/${ARCHIVE_NAME}"
-  # SCP from local to Unraid
-  scp_to UNRAID "${LOCAL_TMP}/${ARCHIVE_NAME}" "$UNRAID_ARCHIVE"
-  rm -rf "$LOCAL_TMP"
+  UNRAID_PORT="${UNRAID_SSH_PORT:-22}"
+  ssh_exec FEDORA "scp -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new \
+    -o BatchMode=yes -P '${UNRAID_PORT}' \
+    '${ARCHIVE_PATH}' '${UNRAID_SSH_USER}@${UNRAID_IP}:${UNRAID_ARCHIVE}'"
 fi
 log_success "Archive ready on Unraid: ${UNRAID_ARCHIVE}"