dc08375ad0
- teardown_all.sh: replace `yes |` pipeline with `< <(yes)` process
substitution to avoid SIGPIPE (exit 141) false failures under pipefail
- phase6_teardown.sh: extract push mirror `.id` instead of `.remote_name`
to match the DELETE /push_mirrors/{id} API contract
- phase5_migrate_pipelines.sh: expand sed regex from `[a-z_]*` to
`[a-z_.]*` to handle nested GitHub contexts like
`github.event.pull_request.number`
- lib/common.sh: render_template now requires explicit variable list to
prevent envsubst from eating Nginx variables ($host, $proxy_add_...)
- backup scripts: remove MacBook relay, use direct Unraid↔Fedora SCP;
fix dump path to write to /data/ (mounted volume) instead of /tmp/
(container-only); add unzip -t integrity verification
- preflight.sh: add --skip-port-checks flag for resuming with
--start-from (ports already bound by earlier phases)
- run_all.sh: update run_step to pass extra args; use --skip-port-checks
when --start-from > 1
- post-checks (phase4/7/9): wrap API calls in helper functions with
>/dev/null redirection instead of passing -o /dev/null as API data
- phase8: replace GitHub archiving with [MIRROR] description marking
and disable wiki/projects/Pages (archived repos reject push mirrors)
- restore_to_primary.sh: add require_vars for Fedora SSH variables
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
71 lines
2.2 KiB
Bash
Executable File
71 lines
2.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# =============================================================================
|
|
# phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded
|
|
# Checks for each repo:
|
|
# 1. security-scan.yml exists in .gitea/workflows/
|
|
# 2. If SECURITY_FAIL_ON_ERROR=true, branch protection includes security checks
|
|
# Exits 0 only if ALL checks pass.
|
|
# =============================================================================
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
source "${SCRIPT_DIR}/lib/common.sh"
|
|
|
|
load_env
|
|
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
|
|
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
|
|
SECURITY_FAIL_ON_ERROR PROTECTED_BRANCH
|
|
|
|
log_info "=== Phase 9 Post-Check ==="
|
|
|
|
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
|
|
PASS=0
|
|
FAIL=0
|
|
|
|
run_check() {
|
|
local description="$1"; shift
|
|
if "$@" 2>/dev/null; then
|
|
log_success "$description"
|
|
PASS=$((PASS + 1))
|
|
else
|
|
log_error "FAIL: $description"
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
}
|
|
|
|
for repo in "${REPOS[@]}"; do
|
|
log_info "--- Checking repo: ${repo} ---"
|
|
|
|
# Check 1: security-scan.yml exists
|
|
check_workflow_exists() {
|
|
gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/contents/.gitea/workflows/security-scan.yml" >/dev/null
|
|
}
|
|
run_check "security-scan.yml exists in ${repo}" check_workflow_exists "$repo"
|
|
|
|
# Check 2: Branch protection includes security checks (if required)
|
|
if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
|
|
check_status_checks() {
|
|
local protection
|
|
protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}")
|
|
local contexts
|
|
contexts=$(printf '%s' "$protection" | jq -r '.status_check_contexts // [] | join(",")')
|
|
# Verify all three security checks are present
|
|
[[ "$contexts" == *"semgrep"* ]] && [[ "$contexts" == *"trivy"* ]] && [[ "$contexts" == *"gitleaks"* ]]
|
|
}
|
|
run_check "Branch protection includes security checks for ${repo}" check_status_checks "$repo"
|
|
fi
|
|
done
|
|
|
|
# Summary
|
|
printf '\n'
|
|
log_info "Results: ${PASS} passed, ${FAIL} failed"
|
|
|
|
if [[ $FAIL -gt 0 ]]; then
|
|
log_error "Phase 9 post-check FAILED"
|
|
exit 1
|
|
else
|
|
log_success "Phase 9 post-check PASSED — security scanning active"
|
|
exit 0
|
|
fi
|