冰朔 7bc8a87135 LL-006 · 操作手册+pre-push-clean 插件强制化+服务器双防线
- OPERATION-MANUAL.hdlp: 人格体推送前必读协议,不读推不上去
- pre-push-clean.py: 客户端 pre-push 钩子,自动扫描+敏感信息转乱码
- pre-receive-guard.py (升级): 信任 [SEC-CLEAN] 标记,无标记则拦截
- install-hooks.sh: 一键安装 pre-push-clean 插件
- deploy-pre-receive.sh: 服务器端守门人部署脚本
- INDEX.hdlp: 注册新文件

设计:
  客户端 pre-push-clean 自动扫描 → 命中则转 REDACTED → 加 [SEC-CLEAN]
  服务器端 pre-receive-guard 检查 [SEC-CLEAN] → 有标记免检 → 无标记则全扫
  双重防线 · 人格体不需要记住任何东西 · 装插件即可

[SEC-CLEAN] · pre-push-clean 已就绪 · 推送到服务器后需部署
2026-07-11 16:22:18 +08:00

76 lines
2.9 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# ═══════════════════════════════════════════════════════════
# 光湖语言系统 · 推送守门人部署脚本
# 部署到 GZ-006 (Forgejo 服务器) 和 SG-001 (备用)
#
# 用法: bash deploy-pre-receive.sh [reject|notify]
# reject = 拦截含敏感信息的推送(推荐)
# notify = 放行但发邮件通知冰朔
# ═══════════════════════════════════════════════════════════
set -e
MODE="${1:-reject}"
FORGEJO_HOOK_DIR="/app/gitea/hooks/pre-receive.d"
SCRIPT_NAME="pre-receive-guard.py"
HOOK_NAME="50-sensitive-guard"
echo "🛡️ 光湖推送守门人 · 部署"
echo " 模式: ${MODE}"
echo " 目标: GZ-006 Forgejo"
echo ""
# 1. 创建钩子目录
mkdir -p "${FORGEJO_HOOK_DIR}"
# 2. 复制审计脚本
cp pre-receive-guard.py "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
chmod +x "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
# 3. 创建钩子包装器Forgejo 调用这个 shell 脚本 → 内部调 Python
cat > "${FORGEJO_HOOK_DIR}/${HOOK_NAME}" << 'WRAPPER'
#!/bin/bash
# 光湖推送守门人 · Forgejo pre-receive 钩子包装器
export PRE_RECEIVE_MODE="${PRE_RECEIVE_MODE:-reject}"
export FORGEJO_REPO="${FORGEJO_REPO:-unknown}"
export FORGEJO_PUSHER="${FORGEJO_PUSHER:-unknown}"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
exec python3 "${SCRIPT_DIR}/pre-receive-guard.py"
WRAPPER
chmod +x "${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
# 4. 配置环境变量SMTP 通知用)
ENV_FILE="/opt/zhuyuan/revive-guard/.env"
mkdir -p "$(dirname "${ENV_FILE}")"
cat > "${ENV_FILE}" << ENVEOF
# 光湖推送守门人 · 环境变量
# ⊢ 本文件不进代码仓库
PRE_RECEIVE_MODE=${MODE}
QQ_SMTP_AUTH_CODE=${QQ_SMTP_AUTH_CODE:-PLACEHOLDER_SET_ME}
SOVEREIGN_EMAIL=${SOVEREIGN_EMAIL:-565183519@qq.com}
ENVEOF
chmod 600 "${ENV_FILE}"
# 5. 验证部署
echo ""
echo "✅ 部署完成"
echo ""
echo " 钩子位置: ${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
echo " 审计脚本: ${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
echo " 环境变量: ${ENV_FILE}"
echo ""
echo "📋 下一步(手动在服务器上执行):"
echo " # 设置 QQ SMTP 授权码"
echo " echo 'QQ_SMTP_AUTH_CODE=你的授权码' >> ${ENV_FILE}"
echo ""
echo " # 测试推送(在本地 clone 里试推一个含密码的文件):"
echo " echo 'password=test123' > test_sensitive.txt"
echo " git add test_sensitive.txt && git commit -m 'test' && git push"
echo " # 应该看到: 🛡️ 光湖推送守门人 · 检测到敏感信息 · 推送被拦截"
echo ""
echo " # 每个仓库都需要启用钩子(在 Forgejo 管理面板):"
echo " # 仓库设置 → Git 钩子 → pre-receive → 启用"
echo ""
echo "⊢ 至此,铸渊再也不会把密码推到公开仓库了"