100 lines
3.0 KiB
Bash
Executable File
100 lines
3.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# =============================================================================
|
|
# phase9_teardown.sh — Remove security scanning workflows from all repos
|
|
# Also removes security status checks from branch protection if they were added.
|
|
# Clones each repo, removes security-scan.yml, commits + pushes.
|
|
# =============================================================================
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
source "${SCRIPT_DIR}/lib/common.sh"
|
|
|
|
load_env
|
|
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
|
|
GITEA_ADMIN_USER \
|
|
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
|
|
PROTECTED_BRANCH
|
|
|
|
log_warn "=== Phase 9 Teardown: Security Scanning ==="
|
|
|
|
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
|
|
TEMP_BASE="/tmp/gitea-migration-security-teardown"
|
|
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
|
|
ASKPASS_SCRIPT=""
|
|
|
|
cleanup() {
|
|
rm -rf "$TEMP_BASE"
|
|
if [[ -n "$ASKPASS_SCRIPT" ]]; then
|
|
rm -f "$ASKPASS_SCRIPT"
|
|
fi
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
setup_git_auth() {
|
|
ASKPASS_SCRIPT=$(mktemp)
|
|
cat > "$ASKPASS_SCRIPT" <<'EOF'
|
|
#!/usr/bin/env sh
|
|
case "$1" in
|
|
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
|
|
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
|
|
*) printf '\n' ;;
|
|
esac
|
|
EOF
|
|
chmod 700 "$ASKPASS_SCRIPT"
|
|
}
|
|
|
|
git_with_auth() {
|
|
GIT_TERMINAL_PROMPT=0 \
|
|
GIT_ASKPASS="$ASKPASS_SCRIPT" \
|
|
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
|
|
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
|
|
"$@"
|
|
}
|
|
|
|
printf 'This will remove security-scan.yml from all repos. Continue? [y/N] '
|
|
read -r confirm
|
|
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
|
|
log_info "Teardown cancelled"
|
|
exit 0
|
|
fi
|
|
|
|
setup_git_auth
|
|
|
|
for repo in "${REPOS[@]}"; do
|
|
log_info "--- Processing: ${repo} ---"
|
|
|
|
# Check if security-scan.yml exists before cloning
|
|
if ! gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" >/dev/null 2>&1; then
|
|
log_info "No security-scan.yml in ${repo} — already clean"
|
|
continue
|
|
fi
|
|
|
|
# Clone, remove, commit, push
|
|
CLONE_DIR="${TEMP_BASE}/${repo}"
|
|
rm -rf "$CLONE_DIR"
|
|
|
|
REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
|
|
git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
|
|
|
|
if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then
|
|
rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml"
|
|
cd "$CLONE_DIR"
|
|
git config user.name "Gitea Migration"
|
|
git config user.email "migration@gitea.local"
|
|
git add -A
|
|
git commit -q -m "Remove security scanning workflow (teardown)"
|
|
git_with_auth git push -q origin HEAD
|
|
cd "$SCRIPT_DIR"
|
|
log_success "Removed security-scan.yml from ${repo}"
|
|
fi
|
|
|
|
# Remove security status checks from branch protection
|
|
# Reset to empty status check contexts
|
|
PATCH_PAYLOAD=$(jq -n '{status_check_contexts: []}')
|
|
gitea_api PATCH "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" "$PATCH_PAYLOAD" >/dev/null 2>&1 || true
|
|
log_info "Cleared security status checks from branch protection for ${repo}"
|
|
done
|
|
|
|
log_success "Phase 9 teardown complete"
|