fix(mosaic-tools): roll up Gitea and Woodpecker wrapper fixes (#524)

2026-05-26 20:56:09 +00:00
parent 755df9079e
commit 821e19dcbb
26 changed files with 1173 additions and 174 deletions
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -74,6 +74,16 @@ get_repo_name() {
    echo "${repo_info##*/}"
 }

+get_repo_slug() {
+    get_repo_info
+}
+
+get_gitea_repo_args() {
+    local repo
+    repo=$(get_repo_slug) || return 1
+    printf -- '--repo %q --login %q' "$repo" "${GITEA_LOGIN:-mosaicstack}"
+}
+
 get_remote_host() {
    local remote_url
    remote_url=$(git remote get-url origin 2>/dev/null || true)
@@ -103,16 +113,28 @@ get_gitea_token() {
    if [[ -f "$cred_loader" ]]; then
        local token
        token=$(
+            # shellcheck source=/dev/null
            source "$cred_loader"
+            # Host-specific wrapper resolution must not inherit caller/global GITEA_*.
+            # load_credentials intentionally preserves existing env vars for interactive use,
+            # but metadata/merge wrappers need credentials matching the remote host.
+            unset GITEA_TOKEN GITEA_URL
            case "$host" in
                git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;
                *)
+                    local matched=false
                    for svc in gitea-mosaicstack gitea-usc; do
-                        load_credentials "$svc" 2>/dev/null || continue
-                        [[ "${GITEA_URL:-}" == *"$host"* ]] && break
                        unset GITEA_TOKEN GITEA_URL
+                        load_credentials "$svc" 2>/dev/null || continue
+                        if [[ "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
+                            matched=true
+                            break
+                        fi
                    done
+                    if [[ "$matched" != true ]]; then
+                        unset GITEA_TOKEN GITEA_URL
+                    fi
                    ;;
            esac
            echo "${GITEA_TOKEN:-}"
@@ -123,10 +145,12 @@ get_gitea_token() {
        fi
    fi

-    # 2. GITEA_TOKEN env var (may be set by caller)
+    # 2. GITEA_TOKEN env var (only when GITEA_URL, if present, matches the remote host)
    if [[ -n "${GITEA_TOKEN:-}" ]]; then
-        echo "$GITEA_TOKEN"
-        return 0
+        if [[ -z "${GITEA_URL:-}" || "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
+            echo "$GITEA_TOKEN"
+            return 0
+        fi
    fi

    # 3. ~/.git-credentials file
@@ -143,6 +167,37 @@ get_gitea_token() {
    return 1
 }

+# Resolve HTTPS basic auth credentials for a Gitea host from ~/.git-credentials.
+# Prints "username:password" for direct curl -u consumption. Callers must not log it.
+get_gitea_basic_auth() {
+    local host="$1"
+    local creds="$HOME/.git-credentials"
+    if [[ ! -f "$creds" ]]; then
+        return 1
+    fi
+
+    python3 - "$host" "$creds" <<'PY'
+import sys
+from pathlib import Path
+from urllib.parse import unquote, urlparse
+
+host = sys.argv[1]
+creds = Path(sys.argv[2])
+
+for line in creds.read_text(encoding="utf-8").splitlines():
+    parsed = urlparse(line.strip())
+    if parsed.hostname != host:
+        continue
+    username = unquote(parsed.username or "")
+    password = unquote(parsed.password or "")
+    if username and password:
+        print(f"{username}:{password}")
+        raise SystemExit(0)
+
+raise SystemExit(1)
+PY
+}
+
 # If script is run directly (not sourced), output the platform
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    detect_platform