disinto-admin/disinto
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions

fix: resolve CI blockers for wp-oauth-register.sh
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details

Browse source
This commit is contained in:
dev-qwen2 2026-04-17 05:54:30 +00:00
parent 11566c2757
commit 442d24b76d
2 changed files with 19 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

16
lib/init/nomad/wp-oauth-register.sh
View file

@ -88,7 +88,6 @@ fi
FORGE_TOKEN="${FORGE_TOKEN:-}" FORGE_TOKEN="${FORGE_TOKEN:-}"
if [ -z "$FORGE_TOKEN" ]; then if [ -z "$FORGE_TOKEN" ]; then
log "reading FORGE_TOKEN from Vault at kv/${KV_PATH}/token" log "reading FORGE_TOKEN from Vault at kv/${KV_PATH}/token"
token_raw
token_raw="$(hvault_get_or_empty "${KV_MOUNT}/data/disinto/shared/forge/token")" || { token_raw="$(hvault_get_or_empty "${KV_MOUNT}/data/disinto/shared/forge/token")" || {
die "failed to read forge token from Vault" die "failed to read forge token from Vault"
} }
@ -118,6 +117,7 @@ oauth_apps_raw=$(curl -sf --max-time 10 \
oauth_app_exists=false oauth_app_exists=false
existing_client_id="" existing_client_id=""
forgejo_secret=""
# Parse the OAuth2 apps list # Parse the OAuth2 apps list
if [ -n "$oauth_apps_raw" ]; then if [ -n "$oauth_apps_raw" ]; then
@ -189,14 +189,20 @@ if [ -n "$existing_raw" ]; then
existing_secret_in_vault="$(printf '%s' "$existing_raw" | jq -r '.data.data.forgejo_secret // ""')" existing_secret_in_vault="$(printf '%s' "$existing_raw" | jq -r '.data.data.forgejo_secret // ""')"
fi fi
# Check if credentials already exist and match # Idempotency check: if Vault already has credentials for this app, use them
if [ "$existing_client_id_in_vault" = "$existing_client_id" ] \ # This handles the case where the OAuth app exists but we don't have the secret
&& [ "$existing_secret_in_vault" = "$forgejo_secret" ]; then if [ "$existing_client_id_in_vault" = "$existing_client_id" ] && [ -n "$existing_secret_in_vault" ]; then
log "credentials already in Vault" log "credentials already in Vault for '${FORGE_OAUTH_APP_NAME}'"
log "done — OAuth2 app registered + credentials in Vault" log "done — OAuth2 app registered + credentials in Vault"
exit 0 exit 0
fi fi
# Use existing secret from Vault if available (app exists, secret in Vault)
if [ -n "$existing_secret_in_vault" ]; then
log "using existing secret from Vault for '${FORGE_OAUTH_APP_NAME}'"
forgejo_secret="$existing_secret_in_vault"
fi
# Prepare the payload with new credentials # Prepare the payload with new credentials
payload="$(printf '%s' "$existing_data" \ payload="$(printf '%s' "$existing_data" \
| jq --arg cid "$existing_client_id" \ | jq --arg cid "$existing_client_id" \

18
tools/vault-seed-woodpecker.sh
View file

@ -132,16 +132,14 @@ fi
# ── Step 3/3: register Forgejo OAuth app and store credentials ─────────────── # ── Step 3/3: register Forgejo OAuth app and store credentials ───────────────
log "── Step 3/3: register Forgejo OAuth app ──" log "── Step 3/3: register Forgejo OAuth app ──"
# Call the OAuth registration script # Export DRY_RUN for the OAuth script and call it
if [ "$DRY_RUN" -eq 1 ]; then export DRY_RUN
log "[dry-run] would call wp-oauth-register.sh" if "${LIB_DIR}/wp-oauth-register.sh" || [ "$DRY_RUN" -eq 1 ]; then
else :
# Export required env vars for the OAuth script elif [ -n "${FORGE_URL:-}" ]; then
export DRY_RUN # Forgejo was configured but unavailable
"${LIB_DIR}/wp-oauth-register.sh" --dry-run || { log "OAuth registration check failed (Forgejo may not be running)"
log "OAuth registration check failed (Forgejo may not be running)" log "This is expected if Forgejo is not available"
log "This is expected if Forgejo is not available"
}
fi fi
log "done — agent_secret + OAuth credentials seeded" log "done — agent_secret + OAuth credentials seeded"