From 0d8adba8c3811e33a81f12c40a93f82732607e51 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 10 Jul 2026 17:27:17 +0000 Subject: [PATCH] fix(mirror-sync): push over SSH, not oauth2:token HTTP (B-redfix-9 root cause) The token embedded in the recipe clone's gitea remote was copytree'd into the world-readable per-run tree. SSH push keys the auth to ~/.ssh, so no secret is written into any .git/config. API calls still use the token. --- scripts/recipe-mirror-sync.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/recipe-mirror-sync.sh b/scripts/recipe-mirror-sync.sh index 2f3baf8..1f1182a 100755 --- a/scripts/recipe-mirror-sync.sh +++ b/scripts/recipe-mirror-sync.sh @@ -36,7 +36,10 @@ RECIPE_DIR="${HOME}/.abra/recipes/${RECIPE}" } TOKEN="$(tr -d '[:space:]' <"${TOKEN_FILE}")" API="https://${GITEA_HOST}/api/v1" -MIRROR_PUSH="https://oauth2:${TOKEN}@${GITEA_HOST}/${NAMESPACE}/${RECIPE}.git" +# Push over SSH (git@:2222, key in ~/.ssh) so no credential is ever written into the recipe +# clone's .git/config — that config gets copytree'd into the world-readable per-run tree +# (CCCI_SKIP_FETCH staging), which previously leaked the token. API still uses the token below. +MIRROR_PUSH="git@${GITEA_HOST}:${NAMESPACE}/${RECIPE}.git" auth=(-H "Authorization: token ${TOKEN}") # Ensure the recipe is cloned (abra recipe fetch clones from the catalogue → upstream).