M2 GATE: green build via push (Drone + exec runner); OAuth bootstrap script + docs

Build #1 success (clone+hello on exec runner). Drone<->Gitea OAuth scripted as one-time bootstrap-drone-oauth.sh. M2 claimed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 23:08:38 +01:00
parent 0d89e2882a
commit e251a1177c
5 changed files with 105 additions and 8 deletions
--- a/scripts/bootstrap-drone-oauth.sh
+++ b/scripts/bootstrap-drone-oauth.sh
@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# One-time Drone<->Gitea OAuth bootstrap (the ONLY manual post-`nixos-rebuild` step).
+#
+# Drone can only sync/clone repos once it holds the bot's Gitea OAuth token, which is granted by
+# an interactive OAuth login. This cannot be Nix-declared without putting the bot's Gitea password
+# on cc-ci, so it's a one-time operator step. The token then persists in Drone's `data` volume, so
+# reconcile redeploys keep working. Re-run only if that volume is wiped.
+#
+# Usage (run ON cc-ci, as root):
+#   GITEA_USERNAME=autonomic-bot GITEA_PASSWORD=… bash scripts/bootstrap-drone-oauth.sh
+# Optionally ACTIVATE a repo: REPO=recipe-maintainers/cc-ci (default).
+set -euo pipefail
+: "${GITEA_USERNAME:?set GITEA_USERNAME}"; : "${GITEA_PASSWORD:?set GITEA_PASSWORD}"
+GITEA="${GITEA:-https://git.autonomic.zone}"
+DRONE="${DRONE:-https://drone.ci.commoninternet.net}"
+CLIENT_ID="${CLIENT_ID:-ab4cdb9d-ee96-4867-875f-87384505fc52}"
+REPO="${REPO:-recipe-maintainers/cc-ci}"
+RES=(--resolve "drone.ci.commoninternet.net:443:127.0.0.1")
+export PATH=/run/current-system/sw/bin:"$PATH"
+
+cj=$(mktemp); dj=$(mktemp); az=$(mktemp)
+trap 'rm -f "$cj" "$dj" "$az"' EXIT
+
+# 1) Gitea web login (CSRF cookie -> form field).
+curl -s -c "$cj" "$GITEA/user/login" -o /dev/null
+gcsrf=$(awk '/_csrf/{v=$NF} END{print v}' "$cj")
+curl -s -b "$cj" -c "$cj" -o /dev/null \
+  --data-urlencode "_csrf=$gcsrf" \
+  --data-urlencode "user_name=$GITEA_USERNAME" \
+  --data-urlencode "password=$GITEA_PASSWORD" \
+  "$GITEA/user/login"
+
+# 2) Drone /login -> Gitea authorize URL.
+loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" \
+  | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
+curl -sk -b "$cj" -c "$cj" -o "$az" "$loc"
+
+# 3) Grant consent -> code callback -> complete Drone login (sets Drone session).
+acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
+state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
+cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
+  --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
+  --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
+  --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
+  "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
+curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb"
+
+# 4) Verify + sync + activate the repo.
+admin=$(curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user" | jq -r '.admin')
+echo "drone login ok (admin=$admin)"
+curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user/repos?latest=true" >/dev/null
+active=$(curl -sk -b "$dj" "${RES[@]}" -X POST "$DRONE/api/repos/$REPO" | jq -r '.active')
+echo "repo $REPO active=$active"