fix(mirror-sync): push over SSH, not oauth2:token HTTP (B-redfix-9 root cause)
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
The token embedded in the recipe clone's gitea remote was copytree'd into the world-readable per-run tree. SSH push keys the auth to ~/.ssh, so no secret is written into any .git/config. API calls still use the token.
This commit is contained in:
@ -36,7 +36,10 @@ RECIPE_DIR="${HOME}/.abra/recipes/${RECIPE}"
|
||||
}
|
||||
TOKEN="$(tr -d '[:space:]' <"${TOKEN_FILE}")"
|
||||
API="https://${GITEA_HOST}/api/v1"
|
||||
MIRROR_PUSH="https://oauth2:${TOKEN}@${GITEA_HOST}/${NAMESPACE}/${RECIPE}.git"
|
||||
# Push over SSH (git@:2222, key in ~/.ssh) so no credential is ever written into the recipe
|
||||
# clone's .git/config — that config gets copytree'd into the world-readable per-run tree
|
||||
# (CCCI_SKIP_FETCH staging), which previously leaked the token. API still uses the token below.
|
||||
MIRROR_PUSH="git@${GITEA_HOST}:${NAMESPACE}/${RECIPE}.git"
|
||||
auth=(-H "Authorization: token ${TOKEN}")
|
||||
|
||||
# Ensure the recipe is cloned (abra recipe fetch clones from the catalogue → upstream).
|
||||
|
||||
Reference in New Issue
Block a user