Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 38s
Build & Deploy / 🧪 QA (push) Successful in 1m22s
Build & Deploy / 🏗️ Build (push) Successful in 4m27s
Build & Deploy / 🚀 Deploy (push) Failing after 39s
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 2s
161 lines
5.7 KiB
Bash
Executable File
161 lines
5.7 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# --- CONFIGURATION ---
|
|
# The registry domain and base path for @mintel packages
|
|
DOMAINS=("git.infra.mintel.me" "registry.infra.mintel.me" "npm.infra.mintel.me")
|
|
REGISTRY_PATH="/api/packages/mmintel/npm"
|
|
# Package used for functional connectivity test (URL encoded)
|
|
TEST_PACKAGE_ENCODED="%40mintel%2Fmail"
|
|
|
|
echo "🚀 Starting Hardened Registry Authentication Discovery..."
|
|
|
|
# --- TOKEN DISCOVERY ---
|
|
# We try various candidate secrets. Gitea environment might have different names.
|
|
CANDIDATES=(
|
|
"NPM_TOKEN"
|
|
"GITEA_PAT"
|
|
"MINTEL_PRIVATE_TOKEN"
|
|
"MINTEL_REGISTRY_TOKEN"
|
|
"GITHUB_TOKEN"
|
|
"GITEA_TOKEN"
|
|
)
|
|
|
|
WORKING_TOKEN=""
|
|
WORKING_DOMAIN=""
|
|
WORKING_PATH=""
|
|
|
|
# --- LOCAL DISCOVERY (for local dev) ---
|
|
if [ -z "${NPM_TOKEN}" ]; then
|
|
echo "🔍 Searching for tokens in local config files..."
|
|
LOCAL_CANDIDATES=(
|
|
"$HOME/.npmrc"
|
|
"$HOME/.pnpmrc"
|
|
"./.npmrc.local"
|
|
)
|
|
|
|
for FILE in "${LOCAL_CANDIDATES[@]}"; do
|
|
if [ -f "${FILE}" ]; then
|
|
echo " Checking ${FILE}..."
|
|
# Try to extract _authToken
|
|
EXTRACTED=$(grep "_authToken=" "${FILE}" | sed -e 's/.*_authToken=//' -e 's/^"//' -e 's/"$//' | head -n 1)
|
|
if [ -n "${EXTRACTED}" ]; then
|
|
echo " Found candidate in ${FILE}"
|
|
# Inject into the environment for the test loop below
|
|
export NPM_TOKEN="${EXTRACTED}"
|
|
break
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
|
|
for DOMAIN in "${DOMAINS[@]}"; do
|
|
# Determine the test path for this domain
|
|
if [ "${DOMAIN}" == "npm.infra.mintel.me" ]; then
|
|
CURRENT_PATH=""
|
|
else
|
|
CURRENT_PATH="${REGISTRY_PATH}"
|
|
fi
|
|
|
|
echo "🔍 Testing connectivity to ${DOMAIN}${CURRENT_PATH}..."
|
|
|
|
for VAR_NAME in "${CANDIDATES[@]}"; do
|
|
TOKEN_VAL="${!VAR_NAME}"
|
|
[ -z "${TOKEN_VAL}" ] && continue
|
|
|
|
echo " Testing ${VAR_NAME} (len: ${#TOKEN_VAL})..."
|
|
|
|
# Method 1: Bearer
|
|
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${TOKEN_VAL}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
|
|
if [ "$STATUS" == "200" ]; then
|
|
echo " ✅ ${VAR_NAME} verified via Bearer on ${DOMAIN}"
|
|
WORKING_TOKEN="${TOKEN_VAL}"
|
|
WORKING_DOMAIN="${DOMAIN}"
|
|
WORKING_PATH="${CURRENT_PATH}"
|
|
break 2
|
|
fi
|
|
|
|
# Method 2: Basic (Token as user, empty password)
|
|
AUTH_BASIC=$(echo -n "${TOKEN_VAL}:" | base64)
|
|
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${AUTH_BASIC}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
|
|
if [ "$STATUS" == "200" ]; then
|
|
echo " ✅ ${VAR_NAME} verified via Basic on ${DOMAIN}"
|
|
WORKING_TOKEN="${TOKEN_VAL}"
|
|
WORKING_DOMAIN="${DOMAIN}"
|
|
WORKING_PATH="${CURRENT_PATH}"
|
|
break 2
|
|
fi
|
|
|
|
# Method 3: Basic RAW (If already base64 encoded user:pass)
|
|
if [[ "${TOKEN_VAL}" =~ ^[A-Za-z0-9+/=]+$ ]] && [ ${#TOKEN_VAL} -gt 20 ]; then
|
|
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${TOKEN_VAL}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
|
|
if [ "$STATUS" == "200" ]; then
|
|
echo " ✅ ${VAR_NAME} verified via Basic RAW on ${DOMAIN}"
|
|
WORKING_TOKEN="${TOKEN_VAL}"
|
|
WORKING_DOMAIN="${DOMAIN}"
|
|
WORKING_PATH="${CURRENT_PATH}"
|
|
break 2
|
|
fi
|
|
fi
|
|
|
|
# Method 4: Basic (User 'token', Token as password - Gitea standard)
|
|
AUTH_GITEA=$(echo -n "token:${TOKEN_VAL}" | base64)
|
|
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${AUTH_GITEA}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
|
|
if [ "$STATUS" == "200" ]; then
|
|
echo " ✅ ${VAR_NAME} verified via Gitea-Token-Basic on ${DOMAIN}"
|
|
WORKING_TOKEN="${TOKEN_VAL}"
|
|
WORKING_DOMAIN="${DOMAIN}"
|
|
WORKING_PATH="${CURRENT_PATH}"
|
|
break 2
|
|
fi
|
|
done
|
|
done
|
|
|
|
if [ -z "${WORKING_TOKEN}" ]; then
|
|
echo "⚠️ ALL functional tests failed for all domains."
|
|
if [ -n "${NPM_TOKEN}" ]; then
|
|
echo "Falling back to NPM_TOKEN (unverified) and git.infra.mintel.me"
|
|
WORKING_TOKEN="${NPM_TOKEN}"
|
|
WORKING_DOMAIN="git.infra.mintel.me"
|
|
WORKING_PATH="${REGISTRY_PATH}"
|
|
else
|
|
echo "❌ CRITICAL: No usable token found and NPM_TOKEN is empty."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# --- .npmrc GENERATION ---
|
|
# We generate a .npmrc that matches the local pattern exactly to avoid resolution drift.
|
|
cat > .npmrc << EOF
|
|
@mintel:registry=https://${WORKING_DOMAIN}${WORKING_PATH}
|
|
//${WORKING_DOMAIN}${WORKING_PATH}/:_authToken=${WORKING_TOKEN}
|
|
//${WORKING_DOMAIN}${WORKING_PATH}/:always-auth=true
|
|
EOF
|
|
|
|
# Add secondary domain if we found one working
|
|
for DOMAIN in "${DOMAINS[@]}"; do
|
|
if [ "${DOMAIN}" != "${WORKING_DOMAIN}" ]; then
|
|
# Use REGISTRY_PATH for git/registry, empty for npm
|
|
if [ "${DOMAIN}" == "npm.infra.mintel.me" ]; then
|
|
DPATH=""
|
|
else
|
|
DPATH="${REGISTRY_PATH}"
|
|
fi
|
|
cat >> .npmrc << EOF
|
|
//${DOMAIN}${DPATH}/:_authToken=${WORKING_TOKEN}
|
|
//${DOMAIN}${DPATH}/:always-auth=true
|
|
EOF
|
|
fi
|
|
done
|
|
|
|
echo "✅ .npmrc hardened with verified token on ${WORKING_DOMAIN}."
|
|
echo "--- Generated .npmrc (masked) ---"
|
|
sed 's/_authToken=.*/_authToken=********/' .npmrc
|
|
echo "--------------------------------"
|
|
|
|
# --- OUTPUT FOR CI ---
|
|
if [ -n "$GITHUB_OUTPUT" ]; then
|
|
echo "working_token=${WORKING_TOKEN}" >> "$GITHUB_OUTPUT"
|
|
echo "working_domain=${WORKING_DOMAIN}" >> "$GITHUB_OUTPUT"
|
|
fi
|