fix: robust token detection and registry verification
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 41s
Build & Deploy / 🧪 QA (push) Failing after 58s
Build & Deploy / 🏗️ Build (push) Has been skipped
Build & Deploy / 🚀 Deploy (push) Has been skipped
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 4s
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 41s
Build & Deploy / 🧪 QA (push) Failing after 58s
Build & Deploy / 🏗️ Build (push) Has been skipped
Build & Deploy / 🚀 Deploy (push) Has been skipped
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 4s
This commit is contained in:
@@ -1,53 +1,89 @@
|
||||
#!/bin/bash
|
||||
# Robust Registry Authentication Script
|
||||
# Following Mintel CI/CD Hardening Standards
|
||||
set -e
|
||||
|
||||
# 1. Discovery
|
||||
TOKENS="${NPM_TOKEN} ${GITEA_PAT} ${MINTEL_PRIVATE_TOKEN}"
|
||||
|
||||
VALID_TOKEN=""
|
||||
# Configuration
|
||||
REGISTRY_URL="https://git.infra.mintel.me/api/packages/mmintel/npm/"
|
||||
REGISTRY_DOMAIN="git.infra.mintel.me"
|
||||
REGISTRY_PATH="/api/packages/mmintel/npm/"
|
||||
SCOPE="@mintel"
|
||||
|
||||
echo "🔍 Starting functional registry discovery..."
|
||||
|
||||
for T in $TOKENS; do
|
||||
[ -z "$T" ] && continue
|
||||
|
||||
T_START="${T:0:4}"
|
||||
T_END="${T: -4}"
|
||||
echo "Testing token starting with '$T_START...' and ending with '...$T_END'"
|
||||
|
||||
# Use Gitea API to verify token
|
||||
# We use -k (insecure) if needed, but infra.mintel.me should have valid certs
|
||||
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $T" "https://git.infra.mintel.me/api/v1/user" || echo "500")
|
||||
|
||||
if [ "$STATUS" == "200" ]; then
|
||||
VALID_TOKEN="$T"
|
||||
echo "✅ Token verified via API"
|
||||
break
|
||||
else
|
||||
echo "❌ Token rejected by API (Status: $STATUS)"
|
||||
fi
|
||||
done
|
||||
|
||||
# Fallback: If API verification failed, try to use NPM_TOKEN if provided
|
||||
if [ -z "$VALID_TOKEN" ] && [ -n "$NPM_TOKEN" ]; then
|
||||
echo "⚠️ API verification failed, falling back to provided NPM_TOKEN"
|
||||
VALID_TOKEN="$NPM_TOKEN"
|
||||
# Discover token
|
||||
token=""
|
||||
token_src=""
|
||||
if [ -n "$NPM_TOKEN" ]; then
|
||||
token="$NPM_TOKEN"
|
||||
token_src="NPM_TOKEN"
|
||||
elif [ -n "$GITEA_PAT" ]; then
|
||||
token="$GITEA_PAT"
|
||||
token_src="GITEA_PAT"
|
||||
elif [ -n "$MINTEL_PRIVATE_TOKEN" ]; then
|
||||
token="$MINTEL_PRIVATE_TOKEN"
|
||||
token_src="MINTEL_PRIVATE_TOKEN"
|
||||
fi
|
||||
|
||||
if [ -z "$VALID_TOKEN" ]; then
|
||||
echo "❌ CRITICAL: No valid registry token found in environment."
|
||||
if [ -z "$token" ]; then
|
||||
echo "❌ No registry token found (checked NPM_TOKEN, GITEA_PAT, MINTEL_PRIVATE_TOKEN)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. Hardened .npmrc Generation
|
||||
# Trailing slashes are CRITICAL for pnpm registry matching
|
||||
# Diagnostic: check token format
|
||||
echo "Found token from $token_src (length: ${#token})"
|
||||
|
||||
# Check if it's base64 encoded user:pass (common in legacy npm)
|
||||
is_base64_auth=false
|
||||
if [[ "$token" =~ ^[A-Za-z0-9+/]*={0,2}$ ]] && [ ${#token} -gt 20 ]; then
|
||||
decoded=$(echo "$token" | base64 -d 2>/dev/null || echo "")
|
||||
if [[ "$decoded" == *":"* ]]; then
|
||||
echo "💡 Detected base64 encoded user:pass format."
|
||||
is_base64_auth=true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Functional check against the registry instead of the general API
|
||||
# We test by fetching metadata for a known package
|
||||
test_pkg="@mintel/mail"
|
||||
echo "Testing registry access for $test_pkg..."
|
||||
|
||||
if [ "$is_base64_auth" = true ]; then
|
||||
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic $token" "${REGISTRY_URL}${test_pkg//\//@}")
|
||||
else
|
||||
# Try both 'token' and 'Bearer' for Gitea compatibility
|
||||
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $token" "${REGISTRY_URL}${test_pkg//\//@}")
|
||||
if [ "$status_code" -ne 200 ]; then
|
||||
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" "${REGISTRY_URL}${test_pkg//\//@}")
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$status_code" -eq 200 ]; then
|
||||
echo "✅ Registry verification successful (Status: 200)"
|
||||
else
|
||||
echo "❌ Registry verification failed (Status: $status_code)"
|
||||
echo "⚠️ Proceeding with generation but installation will likely fail."
|
||||
fi
|
||||
|
||||
# Generate .npmrc
|
||||
echo "Generating .npmrc..."
|
||||
|
||||
# Clean up registry path for keys (no protocol, trailing slash matters)
|
||||
# We add multiple variations to be safe
|
||||
cat << EOF > .npmrc
|
||||
@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/
|
||||
//git.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${VALID_TOKEN}
|
||||
//git.infra.mintel.me/api/packages/mmintel/npm/:always-auth=true
|
||||
//registry.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${VALID_TOKEN}
|
||||
//registry.infra.mintel.me/api/packages/mmintel/npm/:always-auth=true
|
||||
$SCOPE:registry=$REGISTRY_URL
|
||||
always-auth=true
|
||||
EOF
|
||||
|
||||
if [ "$is_base64_auth" = true ]; then
|
||||
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH}:_auth=$token" >> .npmrc
|
||||
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH%/}:_auth=$token" >> .npmrc
|
||||
else
|
||||
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH}:_authToken=$token" >> .npmrc
|
||||
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH%/}:_authToken=$token" >> .npmrc
|
||||
fi
|
||||
|
||||
# Add explicit registry mapping for non-scoped packages if needed (not here usually)
|
||||
# Add some extra flags for stability
|
||||
echo "progress=false" >> .npmrc
|
||||
echo "verify-store-integrity=false" >> .npmrc
|
||||
|
||||
echo "✅ .npmrc hardened and generated."
|
||||
|
||||
Reference in New Issue
Block a user