fix(mirror-sync): push over SSH, not oauth2:token HTTP (B-redfix-9 root cause)
Some checks failed
continuous-integration/drone/push Build is failing

The token embedded in the recipe clone's gitea remote was copytree'd into the
world-readable per-run tree. SSH push keys the auth to ~/.ssh, so no secret is
written into any .git/config. API calls still use the token.
This commit is contained in:
2026-07-10 17:27:17 +00:00
parent 88ecbab4f3
commit 0d8adba8c3

View File

@ -36,7 +36,10 @@ RECIPE_DIR="${HOME}/.abra/recipes/${RECIPE}"
}
TOKEN="$(tr -d '[:space:]' <"${TOKEN_FILE}")"
API="https://${GITEA_HOST}/api/v1"
MIRROR_PUSH="https://oauth2:${TOKEN}@${GITEA_HOST}/${NAMESPACE}/${RECIPE}.git"
# Push over SSH (git@:2222, key in ~/.ssh) so no credential is ever written into the recipe
# clone's .git/config — that config gets copytree'd into the world-readable per-run tree
# (CCCI_SKIP_FETCH staging), which previously leaked the token. API still uses the token below.
MIRROR_PUSH="git@${GITEA_HOST}:${NAMESPACE}/${RECIPE}.git"
auth=(-H "Authorization: token ${TOKEN}")
# Ensure the recipe is cloned (abra recipe fetch clones from the catalogue → upstream).