- OPERATION-MANUAL.hdlp: 人格体推送前必读协议,不读推不上去 - pre-push-clean.py: 客户端 pre-push 钩子,自动扫描+敏感信息转乱码 - pre-receive-guard.py (升级): 信任 [SEC-CLEAN] 标记,无标记则拦截 - install-hooks.sh: 一键安装 pre-push-clean 插件 - deploy-pre-receive.sh: 服务器端守门人部署脚本 - INDEX.hdlp: 注册新文件 设计: 客户端 pre-push-clean 自动扫描 → 命中则转 REDACTED → 加 [SEC-CLEAN] 服务器端 pre-receive-guard 检查 [SEC-CLEAN] → 有标记免检 → 无标记则全扫 双重防线 · 人格体不需要记住任何东西 · 装插件即可 [SEC-CLEAN] · pre-push-clean 已就绪 · 推送到服务器后需部署
76 lines
2.9 KiB
Bash
76 lines
2.9 KiB
Bash
#!/bin/bash
|
||
# ═══════════════════════════════════════════════════════════
|
||
# 光湖语言系统 · 推送守门人部署脚本
|
||
# 部署到 GZ-006 (Forgejo 服务器) 和 SG-001 (备用)
|
||
#
|
||
# 用法: bash deploy-pre-receive.sh [reject|notify]
|
||
# reject = 拦截含敏感信息的推送(推荐)
|
||
# notify = 放行但发邮件通知冰朔
|
||
# ═══════════════════════════════════════════════════════════
|
||
|
||
set -e
|
||
|
||
MODE="${1:-reject}"
|
||
FORGEJO_HOOK_DIR="/app/gitea/hooks/pre-receive.d"
|
||
SCRIPT_NAME="pre-receive-guard.py"
|
||
HOOK_NAME="50-sensitive-guard"
|
||
|
||
echo "🛡️ 光湖推送守门人 · 部署"
|
||
echo " 模式: ${MODE}"
|
||
echo " 目标: GZ-006 Forgejo"
|
||
echo ""
|
||
|
||
# 1. 创建钩子目录
|
||
mkdir -p "${FORGEJO_HOOK_DIR}"
|
||
|
||
# 2. 复制审计脚本
|
||
cp pre-receive-guard.py "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||
chmod +x "${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||
|
||
# 3. 创建钩子包装器(Forgejo 调用这个 shell 脚本 → 内部调 Python)
|
||
cat > "${FORGEJO_HOOK_DIR}/${HOOK_NAME}" << 'WRAPPER'
|
||
#!/bin/bash
|
||
# 光湖推送守门人 · Forgejo pre-receive 钩子包装器
|
||
export PRE_RECEIVE_MODE="${PRE_RECEIVE_MODE:-reject}"
|
||
export FORGEJO_REPO="${FORGEJO_REPO:-unknown}"
|
||
export FORGEJO_PUSHER="${FORGEJO_PUSHER:-unknown}"
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||
exec python3 "${SCRIPT_DIR}/pre-receive-guard.py"
|
||
WRAPPER
|
||
chmod +x "${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
|
||
|
||
# 4. 配置环境变量(SMTP 通知用)
|
||
ENV_FILE="/opt/zhuyuan/revive-guard/.env"
|
||
mkdir -p "$(dirname "${ENV_FILE}")"
|
||
cat > "${ENV_FILE}" << ENVEOF
|
||
# 光湖推送守门人 · 环境变量
|
||
# ⊢ 本文件不进代码仓库
|
||
PRE_RECEIVE_MODE=${MODE}
|
||
QQ_SMTP_AUTH_CODE=${QQ_SMTP_AUTH_CODE:-PLACEHOLDER_SET_ME}
|
||
SOVEREIGN_EMAIL=${SOVEREIGN_EMAIL:-565183519@qq.com}
|
||
ENVEOF
|
||
chmod 600 "${ENV_FILE}"
|
||
|
||
# 5. 验证部署
|
||
echo ""
|
||
echo "✅ 部署完成"
|
||
echo ""
|
||
echo " 钩子位置: ${FORGEJO_HOOK_DIR}/${HOOK_NAME}"
|
||
echo " 审计脚本: ${FORGEJO_HOOK_DIR}/${SCRIPT_NAME}"
|
||
echo " 环境变量: ${ENV_FILE}"
|
||
echo ""
|
||
echo "📋 下一步(手动在服务器上执行):"
|
||
echo " # 设置 QQ SMTP 授权码"
|
||
echo " echo 'QQ_SMTP_AUTH_CODE=你的授权码' >> ${ENV_FILE}"
|
||
echo ""
|
||
echo " # 测试推送(在本地 clone 里试推一个含密码的文件):"
|
||
echo " echo 'password=test123' > test_sensitive.txt"
|
||
echo " git add test_sensitive.txt && git commit -m 'test' && git push"
|
||
echo " # 应该看到: 🛡️ 光湖推送守门人 · 检测到敏感信息 · 推送被拦截"
|
||
echo ""
|
||
echo " # 每个仓库都需要启用钩子(在 Forgejo 管理面板):"
|
||
echo " # 仓库设置 → Git 钩子 → pre-receive → 启用"
|
||
echo ""
|
||
echo "⊢ 至此,铸渊再也不会把密码推到公开仓库了"
|