senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(bootstrap): verify-local secrets check uses list+jq + .env-shaped defaults

Browse source 
Two long-overdue fixes :

1. Defaults aligned with .env.example
   R720_HOST  10.0.20.150  → srv-102v
   R720_USER  ansible      → "" (alias's User= wins)
   FORGEJO_API_URL  forgejo.talas.group → 10.0.20.105:3000
   FORGEJO_INSECURE  ""    → 1
   FORGEJO_OWNER  talas    → senke
   So `verify-local.sh` works on a fresh checkout without forcing
   the operator to copy .env every time.

2. Secrets-exists check via list+jq
   GET /actions/secrets/<NAME> returns 404 in Forgejo regardless of
   whether the secret exists (values are write-only). Listing
   /actions/secrets and grepping by name is the working pattern,
   already used by bootstrap-local.sh phase 3.

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
senke 2026-04-30 22:50:49 +02:00
parent f991dedc23
commit b7857bbbe8
1 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
scripts/bootstrap/verify-local.sh
View file

@ -9,10 +9,11 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
[[ -f "$SCRIPT_DIR/.env" ]] && . "$SCRIPT_DIR/.env"
: "${R720_HOST:=10.0.20.150}"
: "${R720_USER:=ansible}"
: "${FORGEJO_API_URL:=https://forgejo.talas.group}"
: "${FORGEJO_OWNER:=talas}"
: "${R720_HOST:=srv-102v}"
: "${R720_USER:=}"
: "${FORGEJO_API_URL:=https://10.0.20.105:3000}"
: "${FORGEJO_INSECURE:=1}"
: "${FORGEJO_OWNER:=senke}"
: "${FORGEJO_REPO:=veza}"
REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel 2>/dev/null) || {
@ -132,11 +133,14 @@ if [[ -n "${FORGEJO_ADMIN_TOKEN:-}" ]]; then
"curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO" \
"set FORGEJO_OWNER + FORGEJO_REPO env vars"
# Forgejo doesn't expose GET /actions/secrets/<NAME> (values are
# write-only), so list the secrets and grep by name.
_secrets_json="curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO/actions/secrets"
check_with_hint "secret FORGEJO_REGISTRY_TOKEN exists" \
"curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO/actions/secrets/FORGEJO_REGISTRY_TOKEN" \
"$_secrets_json | jq -e '.[]? | select(.name == \"FORGEJO_REGISTRY_TOKEN\")'" \
"PHASE=3 ./bootstrap-local.sh"
check_with_hint "secret ANSIBLE_VAULT_PASSWORD exists" \
"curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO/actions/secrets/ANSIBLE_VAULT_PASSWORD" \
"$_secrets_json | jq -e '.[]? | select(.name == \"ANSIBLE_VAULT_PASSWORD\")'" \
"PHASE=3 ./bootstrap-local.sh"
check_with_hint "variable FORGEJO_REGISTRY_URL exists" \
"curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO/actions/variables/FORGEJO_REGISTRY_URL" \