Improve script to prevent leaking sensitive tokens

Sanitize remote URLs to prevent token leaks and automatically inject GITEA_TOKEN into push URLs.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: db8b7fbd-83f8-4911-a71a-e6e5b6f8f1fd
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/eDmI6vt
Replit-Helium-Checkpoint-Created: true
This commit is contained in:
riyadhafraa
2026-05-19 12:25:17 +00:00
parent 297f445ab9
commit a85baa33f7
+22 -5
View File
@@ -39,11 +39,20 @@ if [[ -z "$GITEA_REMOTE_URL" ]]; then
exit 1
fi
# Strip any embedded "user:token@" so we never echo credentials. Used for
# all human-facing prints; the real $GITEA_REMOTE_URL (with token) is still
# what gets handed to git for the actual push.
sanitize_url() {
# shellcheck disable=SC2001
echo "$1" | sed -E 's#^(https?://)[^/@]+@#\1#'
}
SAFE_REMOTE_URL="$(sanitize_url "$GITEA_REMOTE_URL")"
echo "================================================================"
echo " Publish-to-Gitea — sanitized history mirror"
echo "----------------------------------------------------------------"
echo " Source repo: $REPO_ROOT"
echo " Target remote: $GITEA_REMOTE_URL"
echo " Target remote: $SAFE_REMOTE_URL"
echo " Target branch: $GITEA_BRANCH"
echo " New author: $AUTHOR_NAME <$AUTHOR_EMAIL>"
echo " Mode: $([[ $PUSH == 1 ]] && echo 'PUSH (will force-push)' || echo 'DRY RUN (no push)')"
@@ -133,12 +142,20 @@ echo " git --git-dir=$MIRROR log --all --stat | less"
echo
if [[ $PUSH -eq 1 ]]; then
echo "Force-pushing branch '$GITEA_BRANCH' to $GITEA_REMOTE_URL ..."
git --git-dir="$MIRROR" remote add gitea "$GITEA_REMOTE_URL" 2>/dev/null || \
git --git-dir="$MIRROR" remote set-url gitea "$GITEA_REMOTE_URL"
# Auto-inject GITEA_TOKEN into the push URL if the remote is https://
# and has no credentials already. Keeps the token out of any echoed
# output: $PUSH_URL is only ever passed to git, never printed.
PUSH_URL="$GITEA_REMOTE_URL"
if [[ -n "${GITEA_TOKEN:-}" && "$PUSH_URL" =~ ^https?:// && ! "$PUSH_URL" =~ @ ]]; then
PUSH_USER="${GITEA_USERNAME:-rafraa}"
PUSH_URL="$(echo "$PUSH_URL" | sed -E "s#^(https?://)#\1${PUSH_USER}:${GITEA_TOKEN}@#")"
fi
echo "Force-pushing branch '$GITEA_BRANCH' to $SAFE_REMOTE_URL ..."
git --git-dir="$MIRROR" remote add gitea "$PUSH_URL" 2>/dev/null || \
git --git-dir="$MIRROR" remote set-url gitea "$PUSH_URL"
git --git-dir="$MIRROR" push --force gitea "HEAD:refs/heads/$GITEA_BRANCH"
echo
echo "Done. Open $GITEA_REMOTE_URL to verify."
echo "Done. Open $SAFE_REMOTE_URL to verify."
else
echo "DRY RUN complete — nothing was pushed."
echo "Re-run with --push to publish: ./scripts/publish-to-gitea.sh --push"