#!/usr/bin/env bash set -euo pipefail # ============================================================================= # phase9_teardown.sh — Remove security scanning workflows from all repos # Also removes security status checks from branch protection if they were added. # Clones each repo, removes security-scan.yml, commits + pushes. # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" source "${SCRIPT_DIR}/lib/common.sh" load_env require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \ GITEA_ADMIN_USER \ REPO_NAMES \ PROTECTED_BRANCH log_warn "=== Phase 9 Teardown: Security Scanning ===" read -ra REPOS <<< "$REPO_NAMES" TEMP_BASE="/tmp/gitea-migration-security-teardown" GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}" ASKPASS_SCRIPT="" cleanup() { rm -rf "$TEMP_BASE" if [[ -n "$ASKPASS_SCRIPT" ]]; then rm -f "$ASKPASS_SCRIPT" fi } trap cleanup EXIT setup_git_auth() { ASKPASS_SCRIPT=$(mktemp) cat > "$ASKPASS_SCRIPT" <<'EOF' #!/usr/bin/env sh case "$1" in *sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;; *assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;; *) printf '\n' ;; esac EOF chmod 700 "$ASKPASS_SCRIPT" } git_with_auth() { GIT_TERMINAL_PROMPT=0 \ GIT_ASKPASS="$ASKPASS_SCRIPT" \ GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \ GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \ "$@" } printf 'This will remove security-scan.yml from all repos. Continue? [y/N] ' read -r confirm if [[ ! "$confirm" =~ ^[Yy]$ ]]; then log_info "Teardown cancelled" exit 0 fi setup_git_auth for repo in "${REPOS[@]}"; do log_info "--- Processing: ${repo} ---" # Check if security-scan.yml exists before cloning if ! gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" >/dev/null 2>&1; then log_info "No security-scan.yml in ${repo} — already clean" continue fi # Clone, remove, commit, push CLONE_DIR="${TEMP_BASE}/${repo}" rm -rf "$CLONE_DIR" REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git" git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR" if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ( cd "$CLONE_DIR" git config user.name "Gitea Migration" git config user.email "migration@gitea.local" git add -A git commit -q -m "Remove security scanning workflow (teardown)" git_with_auth git push -q origin HEAD ) log_success "Removed security-scan.yml from ${repo}" fi # Remove security status checks from branch protection # Reset to empty status check contexts PATCH_PAYLOAD=$(jq -n '{status_check_contexts: []}') gitea_api PATCH "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" "$PATCH_PAYLOAD" >/dev/null 2>&1 || true log_info "Cleared security status checks from branch protection for ${repo}" done log_success "Phase 9 teardown complete"