Improve script to prevent leaking sensitive tokens
Sanitize remote URLs to prevent token leaks and automatically inject GITEA_TOKEN into push URLs.
This commit is contained in:
@@ -39,11 +39,20 @@ if [[ -z "$GITEA_REMOTE_URL" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Strip any embedded "user:token@" so we never echo credentials. Used for
|
||||
# all human-facing prints; the real $GITEA_REMOTE_URL (with token) is still
|
||||
# what gets handed to git for the actual push.
|
||||
sanitize_url() {
|
||||
# shellcheck disable=SC2001
|
||||
echo "$1" | sed -E 's#^(https?://)[^/@]+@#\1#'
|
||||
}
|
||||
SAFE_REMOTE_URL="$(sanitize_url "$GITEA_REMOTE_URL")"
|
||||
|
||||
echo "================================================================"
|
||||
echo " Publish-to-Gitea — sanitized history mirror"
|
||||
echo "----------------------------------------------------------------"
|
||||
echo " Source repo: $REPO_ROOT"
|
||||
echo " Target remote: $GITEA_REMOTE_URL"
|
||||
echo " Target remote: $SAFE_REMOTE_URL"
|
||||
echo " Target branch: $GITEA_BRANCH"
|
||||
echo " New author: $AUTHOR_NAME <$AUTHOR_EMAIL>"
|
||||
echo " Mode: $([[ $PUSH == 1 ]] && echo 'PUSH (will force-push)' || echo 'DRY RUN (no push)')"
|
||||
@@ -133,12 +142,20 @@ echo " git --git-dir=$MIRROR log --all --stat | less"
|
||||
echo
|
||||
|
||||
if [[ $PUSH -eq 1 ]]; then
|
||||
echo "Force-pushing branch '$GITEA_BRANCH' to $GITEA_REMOTE_URL ..."
|
||||
git --git-dir="$MIRROR" remote add gitea "$GITEA_REMOTE_URL" 2>/dev/null || \
|
||||
git --git-dir="$MIRROR" remote set-url gitea "$GITEA_REMOTE_URL"
|
||||
# Auto-inject GITEA_TOKEN into the push URL if the remote is https://
|
||||
# and has no credentials already. Keeps the token out of any echoed
|
||||
# output: $PUSH_URL is only ever passed to git, never printed.
|
||||
PUSH_URL="$GITEA_REMOTE_URL"
|
||||
if [[ -n "${GITEA_TOKEN:-}" && "$PUSH_URL" =~ ^https?:// && ! "$PUSH_URL" =~ @ ]]; then
|
||||
PUSH_USER="${GITEA_USERNAME:-rafraa}"
|
||||
PUSH_URL="$(echo "$PUSH_URL" | sed -E "s#^(https?://)#\1${PUSH_USER}:${GITEA_TOKEN}@#")"
|
||||
fi
|
||||
echo "Force-pushing branch '$GITEA_BRANCH' to $SAFE_REMOTE_URL ..."
|
||||
git --git-dir="$MIRROR" remote add gitea "$PUSH_URL" 2>/dev/null || \
|
||||
git --git-dir="$MIRROR" remote set-url gitea "$PUSH_URL"
|
||||
git --git-dir="$MIRROR" push --force gitea "HEAD:refs/heads/$GITEA_BRANCH"
|
||||
echo
|
||||
echo "Done. Open $GITEA_REMOTE_URL to verify."
|
||||
echo "Done. Open $SAFE_REMOTE_URL to verify."
|
||||
else
|
||||
echo "DRY RUN complete — nothing was pushed."
|
||||
echo "Re-run with --push to publish: ./scripts/publish-to-gitea.sh --push"
|
||||
|
||||
Reference in New Issue
Block a user