fix: robust token detection and registry verification
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 41s
Build & Deploy / 🧪 QA (push) Failing after 58s
Build & Deploy / 🏗️ Build (push) Has been skipped
Build & Deploy / 🚀 Deploy (push) Has been skipped
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 4s

This commit is contained in:
2026-05-12 11:08:01 +02:00
parent 6466bc4090
commit b76542b877

View File

@@ -1,53 +1,89 @@
#!/bin/bash
# Robust Registry Authentication Script
# Following Mintel CI/CD Hardening Standards
set -e
# 1. Discovery
TOKENS="${NPM_TOKEN} ${GITEA_PAT} ${MINTEL_PRIVATE_TOKEN}"
VALID_TOKEN=""
# Configuration
REGISTRY_URL="https://git.infra.mintel.me/api/packages/mmintel/npm/"
REGISTRY_DOMAIN="git.infra.mintel.me"
REGISTRY_PATH="/api/packages/mmintel/npm/"
SCOPE="@mintel"
echo "🔍 Starting functional registry discovery..."
for T in $TOKENS; do
[ -z "$T" ] && continue
T_START="${T:0:4}"
T_END="${T: -4}"
echo "Testing token starting with '$T_START...' and ending with '...$T_END'"
# Use Gitea API to verify token
# We use -k (insecure) if needed, but infra.mintel.me should have valid certs
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $T" "https://git.infra.mintel.me/api/v1/user" || echo "500")
if [ "$STATUS" == "200" ]; then
VALID_TOKEN="$T"
echo "✅ Token verified via API"
break
else
echo "❌ Token rejected by API (Status: $STATUS)"
fi
done
# Fallback: If API verification failed, try to use NPM_TOKEN if provided
if [ -z "$VALID_TOKEN" ] && [ -n "$NPM_TOKEN" ]; then
echo "⚠️ API verification failed, falling back to provided NPM_TOKEN"
VALID_TOKEN="$NPM_TOKEN"
# Discover token
token=""
token_src=""
if [ -n "$NPM_TOKEN" ]; then
token="$NPM_TOKEN"
token_src="NPM_TOKEN"
elif [ -n "$GITEA_PAT" ]; then
token="$GITEA_PAT"
token_src="GITEA_PAT"
elif [ -n "$MINTEL_PRIVATE_TOKEN" ]; then
token="$MINTEL_PRIVATE_TOKEN"
token_src="MINTEL_PRIVATE_TOKEN"
fi
if [ -z "$VALID_TOKEN" ]; then
echo "❌ CRITICAL: No valid registry token found in environment."
if [ -z "$token" ]; then
echo "❌ No registry token found (checked NPM_TOKEN, GITEA_PAT, MINTEL_PRIVATE_TOKEN)"
exit 1
fi
# 2. Hardened .npmrc Generation
# Trailing slashes are CRITICAL for pnpm registry matching
# Diagnostic: check token format
echo "Found token from $token_src (length: ${#token})"
# Check if it's base64 encoded user:pass (common in legacy npm)
is_base64_auth=false
if [[ "$token" =~ ^[A-Za-z0-9+/]*={0,2}$ ]] && [ ${#token} -gt 20 ]; then
decoded=$(echo "$token" | base64 -d 2>/dev/null || echo "")
if [[ "$decoded" == *":"* ]]; then
echo "💡 Detected base64 encoded user:pass format."
is_base64_auth=true
fi
fi
# Functional check against the registry instead of the general API
# We test by fetching metadata for a known package
test_pkg="@mintel/mail"
echo "Testing registry access for $test_pkg..."
if [ "$is_base64_auth" = true ]; then
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic $token" "${REGISTRY_URL}${test_pkg//\//@}")
else
# Try both 'token' and 'Bearer' for Gitea compatibility
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $token" "${REGISTRY_URL}${test_pkg//\//@}")
if [ "$status_code" -ne 200 ]; then
status_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" "${REGISTRY_URL}${test_pkg//\//@}")
fi
fi
if [ "$status_code" -eq 200 ]; then
echo "✅ Registry verification successful (Status: 200)"
else
echo "❌ Registry verification failed (Status: $status_code)"
echo "⚠️ Proceeding with generation but installation will likely fail."
fi
# Generate .npmrc
echo "Generating .npmrc..."
# Clean up registry path for keys (no protocol, trailing slash matters)
# We add multiple variations to be safe
cat << EOF > .npmrc
@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/
//git.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${VALID_TOKEN}
//git.infra.mintel.me/api/packages/mmintel/npm/:always-auth=true
//registry.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${VALID_TOKEN}
//registry.infra.mintel.me/api/packages/mmintel/npm/:always-auth=true
$SCOPE:registry=$REGISTRY_URL
always-auth=true
EOF
if [ "$is_base64_auth" = true ]; then
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH}:_auth=$token" >> .npmrc
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH%/}:_auth=$token" >> .npmrc
else
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH}:_authToken=$token" >> .npmrc
echo "//${REGISTRY_DOMAIN}${REGISTRY_PATH%/}:_authToken=$token" >> .npmrc
fi
# Add explicit registry mapping for non-scoped packages if needed (not here usually)
# Add some extra flags for stability
echo "progress=false" >> .npmrc
echo "verify-store-integrity=false" >> .npmrc
echo "✅ .npmrc hardened and generated."