privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
720197bb10b56d74deb28f4c110897054273dc72
gitea-migration/phase9_post_check.sh
S ea5524949a feat: add Phase 9 — Security Scanning 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 15:30:38 -06:00

69 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# =============================================================================
# phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded
# Checks for each repo:
# 1. security-scan.yml exists in .gitea/workflows/
# 2. If SECURITY_FAIL_ON_ERROR=true, branch protection includes security checks
# Exits 0 only if ALL checks pass.
# =============================================================================
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"
load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
SECURITY_FAIL_ON_ERROR PROTECTED_BRANCH
log_info "=== Phase 9 Post-Check ==="
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
PASS=0
FAIL=0
run_check() {
local description="$1"; shift
if "$@" 2>/dev/null; then
log_success "$description"
PASS=$((PASS + 1))
else
log_error "FAIL: $description"
FAIL=$((FAIL + 1))
fi
}
for repo in "${REPOS[@]}"; do
log_info "--- Checking repo: ${repo} ---"
# Check 1: security-scan.yml exists
run_check "security-scan.yml exists in ${repo}" \
gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" -o /dev/null
# Check 2: Branch protection includes security checks (if required)
if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
check_status_checks() {
local protection
protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}")
local contexts
contexts=$(printf '%s' "$protection" | jq -r '.status_check_contexts // [] | join(",")')
# Verify all three security checks are present
[[ "$contexts" == *"semgrep"* ]] && [[ "$contexts" == *"trivy"* ]] && [[ "$contexts" == *"gitleaks"* ]]
}
run_check "Branch protection includes security checks for ${repo}" check_status_checks "$repo"
fi
done
# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"
if [[ $FAIL -gt 0 ]]; then
log_error "Phase 9 post-check FAILED"
exit 1
else
log_success "Phase 9 post-check PASSED — security scanning active"
exit 0
fi
Reference in New Issue View Git Blame Copy Permalink