disinto-admin/disinto
1
0
Fork 0
Code Issues 23 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-3] S3.3 — wp-oauth-register.sh (Forgejo OAuth app + Vault KV) (#936) #940

Merged
dev-qwen merged 4 commits from fix/issue-936 into main 2026-04-17 06:08:10 +00:00
Conversation 6 Commits 4 Files changed 3 +19 -15
2 changed files with 19 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 442d24b76d - Show all commits

16
lib/init/nomad/wp-oauth-register.sh
View file

@ -88,7 +88,6 @@ fi
FORGE_TOKEN="${FORGE_TOKEN:-}"
if [ -z "$FORGE_TOKEN" ]; then
log "reading FORGE_TOKEN from Vault at kv/${KV_PATH}/token"
token_raw
token_raw="$(hvault_get_or_empty "${KV_MOUNT}/data/disinto/shared/forge/token")" || {
die "failed to read forge token from Vault"
}
@ -118,6 +117,7 @@ oauth_apps_raw=$(curl -sf --max-time 10 \
oauth_app_exists=false
existing_client_id=""
forgejo_secret=""
# Parse the OAuth2 apps list
if [ -n "$oauth_apps_raw" ]; then
@ -189,14 +189,20 @@ if [ -n "$existing_raw" ]; then
existing_secret_in_vault="$(printf '%s' "$existing_raw" | jq -r '.data.data.forgejo_secret // ""')"
fi
# Check if credentials already exist and match
if [ "$existing_client_id_in_vault" = "$existing_client_id" ] \
&& [ "$existing_secret_in_vault" = "$forgejo_secret" ]; then
log "credentials already in Vault"
# Idempotency check: if Vault already has credentials for this app, use them
# This handles the case where the OAuth app exists but we don't have the secret
if [ "$existing_client_id_in_vault" = "$existing_client_id" ] && [ -n "$existing_secret_in_vault" ]; then
log "credentials already in Vault for '${FORGE_OAUTH_APP_NAME}'"
log "done — OAuth2 app registered + credentials in Vault"
exit 0
fi
# Use existing secret from Vault if available (app exists, secret in Vault)
if [ -n "$existing_secret_in_vault" ]; then
log "using existing secret from Vault for '${FORGE_OAUTH_APP_NAME}'"
forgejo_secret="$existing_secret_in_vault"
fi
# Prepare the payload with new credentials
payload="$(printf '%s' "$existing_data" \
| jq --arg cid "$existing_client_id" \

14
tools/vault-seed-woodpecker.sh
View file

@ -132,16 +132,14 @@ fi
# ── Step 3/3: register Forgejo OAuth app and store credentials ───────────────
log "── Step 3/3: register Forgejo OAuth app ──"
# Call the OAuth registration script
if [ "$DRY_RUN" -eq 1 ]; then
log "[dry-run] would call wp-oauth-register.sh"
else
# Export required env vars for the OAuth script
export DRY_RUN
"${LIB_DIR}/wp-oauth-register.sh" --dry-run || {
# Export DRY_RUN for the OAuth script and call it
export DRY_RUN
if "${LIB_DIR}/wp-oauth-register.sh" || [ "$DRY_RUN" -eq 1 ]; then
:
elif [ -n "${FORGE_URL:-}" ]; then
# Forgejo was configured but unavailable
log "OAuth registration check failed (Forgejo may not be running)"
log "This is expected if Forgejo is not available"
}
fi
log "done — agent_secret + OAuth credentials seeded"