From 442d24b76db2a8ff5e296a56e3cf314f0103944b Mon Sep 17 00:00:00 2001 From: dev-qwen2 Date: Fri, 17 Apr 2026 05:54:30 +0000 Subject: [PATCH] fix: resolve CI blockers for wp-oauth-register.sh --- lib/init/nomad/wp-oauth-register.sh | 16 +++++++++++----- tools/vault-seed-woodpecker.sh | 18 ++++++++---------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/lib/init/nomad/wp-oauth-register.sh b/lib/init/nomad/wp-oauth-register.sh index 74a5889..6868414 100755 --- a/lib/init/nomad/wp-oauth-register.sh +++ b/lib/init/nomad/wp-oauth-register.sh @@ -88,7 +88,6 @@ fi FORGE_TOKEN="${FORGE_TOKEN:-}" if [ -z "$FORGE_TOKEN" ]; then log "reading FORGE_TOKEN from Vault at kv/${KV_PATH}/token" - token_raw token_raw="$(hvault_get_or_empty "${KV_MOUNT}/data/disinto/shared/forge/token")" || { die "failed to read forge token from Vault" } @@ -118,6 +117,7 @@ oauth_apps_raw=$(curl -sf --max-time 10 \ oauth_app_exists=false existing_client_id="" +forgejo_secret="" # Parse the OAuth2 apps list if [ -n "$oauth_apps_raw" ]; then @@ -189,14 +189,20 @@ if [ -n "$existing_raw" ]; then existing_secret_in_vault="$(printf '%s' "$existing_raw" | jq -r '.data.data.forgejo_secret // ""')" fi -# Check if credentials already exist and match -if [ "$existing_client_id_in_vault" = "$existing_client_id" ] \ - && [ "$existing_secret_in_vault" = "$forgejo_secret" ]; then - log "credentials already in Vault" +# Idempotency check: if Vault already has credentials for this app, use them +# This handles the case where the OAuth app exists but we don't have the secret +if [ "$existing_client_id_in_vault" = "$existing_client_id" ] && [ -n "$existing_secret_in_vault" ]; then + log "credentials already in Vault for '${FORGE_OAUTH_APP_NAME}'" log "done — OAuth2 app registered + credentials in Vault" exit 0 fi +# Use existing secret from Vault if available (app exists, secret in Vault) +if [ -n "$existing_secret_in_vault" ]; then + log "using existing secret from Vault for '${FORGE_OAUTH_APP_NAME}'" + forgejo_secret="$existing_secret_in_vault" +fi + # Prepare the payload with new credentials payload="$(printf '%s' "$existing_data" \ | jq --arg cid "$existing_client_id" \ diff --git a/tools/vault-seed-woodpecker.sh b/tools/vault-seed-woodpecker.sh index af14c3e..ba78427 100755 --- a/tools/vault-seed-woodpecker.sh +++ b/tools/vault-seed-woodpecker.sh @@ -132,16 +132,14 @@ fi # ── Step 3/3: register Forgejo OAuth app and store credentials ─────────────── log "── Step 3/3: register Forgejo OAuth app ──" -# Call the OAuth registration script -if [ "$DRY_RUN" -eq 1 ]; then - log "[dry-run] would call wp-oauth-register.sh" -else - # Export required env vars for the OAuth script - export DRY_RUN - "${LIB_DIR}/wp-oauth-register.sh" --dry-run || { - log "OAuth registration check failed (Forgejo may not be running)" - log "This is expected if Forgejo is not available" - } +# Export DRY_RUN for the OAuth script and call it +export DRY_RUN +if "${LIB_DIR}/wp-oauth-register.sh" || [ "$DRY_RUN" -eq 1 ]; then + : +elif [ -n "${FORGE_URL:-}" ]; then + # Forgejo was configured but unavailable + log "OAuth registration check failed (Forgejo may not be running)" + log "This is expected if Forgejo is not available" fi log "done — agent_secret + OAuth credentials seeded"