privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
316d318b5ebb20f71bd36aea1b703136afcc6734
gitea-migration/phase9_security.sh
S dc08375ad0 fix: address multiple bugs from code review 
- teardown_all.sh: replace `yes |` pipeline with `< <(yes)` process
  substitution to avoid SIGPIPE (exit 141) false failures under pipefail
- phase6_teardown.sh: extract push mirror `.id` instead of `.remote_name`
  to match the DELETE /push_mirrors/{id} API contract
- phase5_migrate_pipelines.sh: expand sed regex from `[a-z_]*` to
  `[a-z_.]*` to handle nested GitHub contexts like
  `github.event.pull_request.number`
- lib/common.sh: render_template now requires explicit variable list to
  prevent envsubst from eating Nginx variables ($host, $proxy_add_...)
- backup scripts: remove MacBook relay, use direct Unraid↔Fedora SCP;
  fix dump path to write to /data/ (mounted volume) instead of /tmp/
  (container-only); add unzip -t integrity verification
- preflight.sh: add --skip-port-checks flag for resuming with
  --start-from (ports already bound by earlier phases)
- run_all.sh: update run_step to pass extra args; use --skip-port-checks
  when --start-from > 1
- post-checks (phase4/7/9): wrap API calls in helper functions with
  >/dev/null redirection instead of passing -o /dev/null as API data
- phase8: replace GitHub archiving with [MIRROR] description marking
  and disable wiki/projects/Pages (archived repos reject push mirrors)
- restore_to_primary.sh: add require_vars for Fedora SSH variables

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 20:18:35 -05:00

127 lines
5.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# =============================================================================
# phase9_security.sh — Deploy security scanning workflows to all repos
# Depends on: Phase 5 complete (repos have .gitea/workflows/)
# For each repo:
# 1. Clone from Gitea to temp directory
# 2. Render security-scan.yml.tpl → .gitea/workflows/security-scan.yml
# 3. Commit and push
# 4. If SECURITY_FAIL_ON_ERROR=true, update branch protection to require
# security status checks (semgrep, trivy, gitleaks)
# The security workflow runs Semgrep (SAST), Trivy (container/dependency scan),
# and Gitleaks (secret detection) on every pull request.
# Idempotent: skips repos that already have security-scan.yml.
# =============================================================================
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"
load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
GITEA_ADMIN_USER \
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
SEMGREP_VERSION TRIVY_VERSION GITLEAKS_VERSION \
SECURITY_FAIL_ON_ERROR PROTECTED_BRANCH
phase_header 9 "Security Scanning"
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
TEMP_BASE="/tmp/gitea-migration-security"
cleanup() {
rm -rf "$TEMP_BASE"
}
trap cleanup EXIT
SUCCESS=0
SKIPPED=0
FAILED=0
for repo in "${REPOS[@]}"; do
log_info "--- Processing repo: ${repo} ---"
# -------------------------------------------------------------------------
# Idempotency: check if security-scan.yml already exists via API
# -------------------------------------------------------------------------
if gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" >/dev/null 2>&1; then
log_info "security-scan.yml already exists in ${repo} — skipping"
SKIPPED=$((SKIPPED + 1))
continue
fi
# -------------------------------------------------------------------------
# Step 1: Clone the repo
# -------------------------------------------------------------------------
CLONE_DIR="${TEMP_BASE}/${repo}"
rm -rf "$CLONE_DIR"
mkdir -p "$CLONE_DIR"
CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|")
log_info "Cloning ${repo}..."
git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
# -------------------------------------------------------------------------
# Step 2: Render security workflow template
# The template references tool versions from .env so they're pinned
# and reproducible across all repos.
# -------------------------------------------------------------------------
log_info "Rendering security-scan.yml..."
mkdir -p "${CLONE_DIR}/.gitea/workflows"
export SEMGREP_VERSION TRIVY_VERSION GITLEAKS_VERSION PROTECTED_BRANCH
render_template "${SCRIPT_DIR}/templates/workflows/security-scan.yml.tpl" \
"${CLONE_DIR}/.gitea/workflows/security-scan.yml" \
'${PROTECTED_BRANCH} ${SEMGREP_VERSION} ${TRIVY_VERSION} ${GITLEAKS_VERSION}'
# -------------------------------------------------------------------------
# Step 3: Commit and push
# -------------------------------------------------------------------------
cd "$CLONE_DIR"
git config user.name "Gitea Migration"
git config user.email "migration@gitea.local"
git add .gitea/workflows/security-scan.yml
git commit -q -m "Add security scanning workflow (Semgrep + Trivy + Gitleaks)"
git push -q origin HEAD
cd "$SCRIPT_DIR"
log_success "Security workflow deployed to ${repo}"
# -------------------------------------------------------------------------
# Step 4: Update branch protection to require security status checks
# Only if SECURITY_FAIL_ON_ERROR=true — this means PRs cannot be merged
# unless all three security scans pass.
# -------------------------------------------------------------------------
if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
log_info "Updating branch protection to require security checks..."
# PATCH the existing branch protection to add status check contexts
PATCH_PAYLOAD=$(jq -n '{
enable_status_check: true,
status_check_contexts: ["semgrep", "trivy", "gitleaks"]
}')
if gitea_api PATCH "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" "$PATCH_PAYLOAD" >/dev/null 2>&1; then
log_success "Branch protection updated with security status checks"
else
log_warn "Could not update branch protection — may need to be set manually"
fi
fi
SUCCESS=$((SUCCESS + 1))
done
# ---------------------------------------------------------------------------
# Summary
# ---------------------------------------------------------------------------
printf '\n'
TOTAL=${#REPOS[@]}
log_info "Results: ${SUCCESS} deployed, ${SKIPPED} skipped, ${FAILED} failed (out of ${TOTAL})"
if [[ $FAILED -gt 0 ]]; then
log_error "Some repos failed — check logs above"
exit 1
fi
log_success "Phase 9 complete — security scanning deployed"
Reference in New Issue View Git Blame Copy Permalink