recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
9b2ce09a67bf21d1f3dbc48020250bb12e493ea8
cc-ci/scripts/bootstrap-drone-oauth.sh
autonomic-bot 2cede01ed7 style(1b): auto-format + lint-clean the whole codebase (RL1) 
Mechanical, semantics-preserving cleanup so the codebase passes the new lint stage:
- ruff format: all 32 Python files (wraps long signatures, normalizes quotes/blank lines).
- nixpkgs-fmt: modules/drone-runner.nix.
- shfmt (-i 2 -ci): scripts/*.sh.

Lint fixes (reviewed, behavior-preserving — no test weakened):
- ruff SIM105: try/except-pass -> contextlib.suppress (abra.py app_config rm; lifecycle.py janitor).
- ruff SIM115: open().read() -> with open() (run_recipe_ci.py redaction-values + gitea-token).
- statix: merge repeated sops `secrets.*` keys into one `secrets = { ... }` (comments kept);
  empty fn pattern `{ ... }:` -> `_:` (packages.nix).
- deadnix: drop unused lambda args (flake `self`; configuration.nix `lib`; overlay `final` -> `_`).

Verified on cc-ci: `scripts/lint.sh` -> lint: PASS; nixosConfigurations.cc-ci evaluates;
all Python byte-compiles. The deployed bridge/dashboard/runner source changes hash (reformat),
so cc-ci will be rebuilt to the new closure in W2 before the cold D1-D10 re-verification.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 20:52:05 +01:00

64 lines
3.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# One-time Drone<->Gitea OAuth bootstrap (the ONLY manual post-`nixos-rebuild` step).
#
# Drone can only sync/clone repos once it holds the bot's Gitea OAuth token, which is granted by
# an interactive OAuth login. This cannot be Nix-declared without putting the bot's Gitea password
# on cc-ci, so it's a one-time operator step. The token then persists in Drone's `data` volume, so
# reconcile redeploys keep working. Re-run only if that volume is wiped.
#
# Usage (run ON cc-ci, as root):
# GITEA_USERNAME=autonomic-bot GITEA_PASSWORD=… bash scripts/bootstrap-drone-oauth.sh
# Optionally ACTIVATE a repo: REPO=recipe-maintainers/cc-ci (default).
set -euo pipefail
: "${GITEA_USERNAME:?set GITEA_USERNAME}"
: "${GITEA_PASSWORD:?set GITEA_PASSWORD}"
GITEA="${GITEA:-https://git.autonomic.zone}"
DRONE="${DRONE:-https://drone.ci.commoninternet.net}"
CLIENT_ID="${CLIENT_ID:-ab4cdb9d-ee96-4867-875f-87384505fc52}"
REPO="${REPO:-recipe-maintainers/cc-ci}"
RES=(--resolve "drone.ci.commoninternet.net:443:127.0.0.1")
export PATH=/run/current-system/sw/bin:"$PATH"
cj=$(mktemp)
dj=$(mktemp)
az=$(mktemp)
trap 'rm -f "$cj" "$dj" "$az"' EXIT
# 1) Gitea web login (CSRF cookie -> form field).
curl -s -c "$cj" "$GITEA/user/login" -o /dev/null
gcsrf=$(awk '/_csrf/{v=$NF} END{print v}' "$cj")
curl -s -b "$cj" -c "$cj" -o /dev/null \
--data-urlencode "_csrf=$gcsrf" \
--data-urlencode "user_name=$GITEA_USERNAME" \
--data-urlencode "password=$GITEA_PASSWORD" \
"$GITEA/user/login"
# 2) Drone /login -> Gitea authorize URL.
loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" |
awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
azh=$(mktemp)
trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT
curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc"
# 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the
# code callback, no consent form) or it shows a consent form we must POST. Handle both.
cb=$(awk 'tolower($1)=="location:"{print $2}' "$azh" | tr -d '\r')
if [ -z "$cb" ]; then
acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
--data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
--data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
"$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
fi
# code callback -> complete Drone login (sets Drone session + persists the token in Drone's volume).
curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb"
# 4) Verify + sync + activate the repo.
admin=$(curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user" | jq -r '.admin')
echo "drone login ok (admin=$admin)"
curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user/repos?latest=true" >/dev/null
active=$(curl -sk -b "$dj" "${RES[@]}" -X POST "$DRONE/api/repos/$REPO" | jq -r '.active')
echo "repo $REPO active=$active"
Reference in New Issue View Git Blame Copy Permalink