铸澜 + 冰朔 · 取消仓库门禁的旧主机硬编码
This commit is contained in:
parent
503ff4464b
commit
c16ae8673f
@ -1,27 +1,43 @@
|
||||
#!/bin/bash
|
||||
# ═══════════════════════════════════════════════════════════
|
||||
# 光湖语言系统 · 推送守门人部署脚本
|
||||
# 部署到 GZ-006 (Forgejo 服务器) 和 SG-001 (备用)
|
||||
# 目标仓库必须由服务器会话显式传入;禁止把旧广州路径当作默认值。
|
||||
#
|
||||
# 用法: bash deploy-pre-receive.sh [reject|notify]
|
||||
# 用法: bash deploy-pre-receive.sh <repo-hooks-dir> [reject|notify]
|
||||
# reject = 拦截含敏感信息的推送(推荐)
|
||||
# notify = 放行但发邮件通知冰朔
|
||||
# ═══════════════════════════════════════════════════════════
|
||||
|
||||
set -e
|
||||
|
||||
MODE="${1:-reject}"
|
||||
FORGEJO_HOOK_DIR="/app/gitea/hooks/pre-receive.d"
|
||||
FORGEJO_HOOK_DIR="${1:-}"
|
||||
MODE="${2:-reject}"
|
||||
SCRIPT_NAME="pre-receive-guard.py"
|
||||
HOOK_NAME="50-sensitive-guard"
|
||||
HOOK_NAME="pre-receive"
|
||||
|
||||
if [ -z "${FORGEJO_HOOK_DIR}" ]; then
|
||||
echo "❌ 必须传入当前 Forgejo 裸仓库的 hooks 目录。"
|
||||
echo " 例:bash deploy-pre-receive.sh /实际路径/bingshuo/fifth-domain.git/hooks reject"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [ ! -d "${FORGEJO_HOOK_DIR}" ]; then
|
||||
echo "❌ 目标 hooks 目录不存在:${FORGEJO_HOOK_DIR}"
|
||||
echo " 停止部署;请先通过 GLSV 会话核对当前仓库物理路径。"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "🛡️ 光湖推送守门人 · 部署"
|
||||
echo " 模式: ${MODE}"
|
||||
echo " 目标: GZ-006 Forgejo"
|
||||
echo " 目标 hooks: ${FORGEJO_HOOK_DIR}"
|
||||
echo ""
|
||||
|
||||
# 1. 创建钩子目录
|
||||
mkdir -p "${FORGEJO_HOOK_DIR}"
|
||||
# 1. 不悄悄覆盖既有仓库门禁。
|
||||
if [ -f "${FORGEJO_HOOK_DIR}/${HOOK_NAME}" ] && ! grep -q "光湖推送守门人 · Forgejo pre-receive 钩子包装器" "${FORGEJO_HOOK_DIR}/${HOOK_NAME}"; then
|
||||
echo "❌ 检测到已有 pre-receive Hook,未覆盖。"
|
||||
echo " 先读取并整合既有规则,再以带回滚方案的专门部署动作替换。"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
# 2. 复制服务器守门人及其导航依赖
|
||||
cp pre-receive-guard.py "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||||
@ -29,7 +45,7 @@ chmod +x "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||||
cp navigation-memory-guard.py "${FORGEJO_HOOK_DIR}/navigation-memory-guard.py"
|
||||
chmod +x "${FORGEJO_HOOK_DIR}/navigation-memory-guard.py"
|
||||
|
||||
# 3. 创建钩子包装器(Forgejo 调用这个 shell 脚本 → 内部调 Python)
|
||||
# 3. 创建钩子包装器(Forgejo 调用这个脚本 → 内部调 Python)。
|
||||
cat > "${FORGEJO_HOOK_DIR}/${HOOK_NAME}" << 'WRAPPER'
|
||||
#!/bin/bash
|
||||
# 光湖推送守门人 · Forgejo pre-receive 钩子包装器
|
||||
@ -42,36 +58,19 @@ exec python3 "${SCRIPT_DIR}/pre-receive-guard.py"
|
||||
WRAPPER
|
||||
chmod +x "${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
|
||||
|
||||
# 4. 配置环境变量(SMTP 通知用)
|
||||
ENV_FILE="/opt/zhuyuan/revive-guard/.env"
|
||||
mkdir -p "$(dirname "${ENV_FILE}")"
|
||||
cat > "${ENV_FILE}" << ENVEOF
|
||||
# 光湖推送守门人 · 环境变量
|
||||
# ⊢ 本文件不进代码仓库
|
||||
PRE_RECEIVE_MODE=${MODE}
|
||||
QQ_SMTP_AUTH_CODE=${QQ_SMTP_AUTH_CODE:-PLACEHOLDER_SET_ME}
|
||||
SOVEREIGN_EMAIL=${SOVEREIGN_EMAIL:-ICE-GL∞_EMAIL_REDACTED}
|
||||
ENVEOF
|
||||
chmod 600 "${ENV_FILE}"
|
||||
|
||||
# 5. 验证部署
|
||||
# 4. 验证部署
|
||||
echo ""
|
||||
echo "✅ 部署完成"
|
||||
echo ""
|
||||
echo " 钩子位置: ${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
|
||||
echo " 审计脚本: ${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||||
echo " 环境变量: ${ENV_FILE}"
|
||||
echo ""
|
||||
echo "📋 下一步(手动在服务器上执行):"
|
||||
echo " # 设置 QQ SMTP 授权码"
|
||||
echo " echo 'QQ_SMTP_AUTH_CODE=你的授权码' >> ${ENV_FILE}"
|
||||
echo "📋 下一步(在当前 GLSV 工作会话中执行):"
|
||||
echo " # 先读取现有 Hook;如存在旧规则,先做合并、备份和回滚计划。"
|
||||
echo ""
|
||||
echo " # 测试推送(在本地 clone 里试推一个含密码的文件):"
|
||||
echo " echo 'password=test123' > test_sensitive.txt"
|
||||
echo " git add test_sensitive.txt && git commit -m 'test' && git push"
|
||||
echo " # 应该看到: 🛡️ 光湖推送守门人 · 检测到敏感信息 · 推送被拦截"
|
||||
echo ""
|
||||
echo " # 每个仓库都需要启用钩子(在 Forgejo 管理面板):"
|
||||
echo " # 仓库设置 → Git 钩子 → pre-receive → 启用"
|
||||
echo ""
|
||||
echo "⊢ 至此,铸渊再也不会把密码推到公开仓库了"
|
||||
echo "⊢ 钩子路径必须从服务器实时探测得出,旧资料只用于恢复架构,不直接覆盖现实状态。"
|
||||
|
||||
@ -3,7 +3,8 @@
|
||||
光湖语言系统 · 推送守门人 · 敏感信息自动打码
|
||||
Guanghu Language System · Pre-Receive Guard
|
||||
|
||||
部署位置: GZ-006 Forgejo 服务器 /app/gitea/hooks/pre-receive.d/
|
||||
部署位置: 当前承载目标仓库的 Forgejo 裸仓库 `hooks/pre-receive`。
|
||||
部署前由 GLSV 会话实时探测;不得沿用旧服务器路径。
|
||||
作用: 每次 git push 进来 → 扫描新 commit → 检测敏感信息 → 自动打码或拦截
|
||||
|
||||
设计哲学:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user