Harden split-repo publish script with credential-helper auth

2026-02-17 20:50:59 -08:00 · 2026-02-17 20:50:59 -08:00 · 7ef7c662f3
commit 7ef7c662f3
parent 27b5900205
3 changed files with 74 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -102,7 +102,7 @@ README.md

 ## Scripts

-1. `scripts/publish_split_repos.sh` - creates/pushes `launcher`, `governance`, `contracts` repos using a Gitea PAT.
+1. `scripts/publish_split_repos.sh` - creates/pushes `launcher`, `governance`, `contracts` repos using either a provided Gitea PAT or git credential-helper auth for `git.workvsg.com`.

 ## Internationalization

--- a/docs/repo-split-publish-runbook.md
+++ b/docs/repo-split-publish-runbook.md
@ -1,12 +1,12 @@
 # Repo Split Publish Runbook

-Use this runbook after valid Gitea API credentials (username + PAT) are available.
+Use this runbook after valid Gitea credentials are available (PAT or git credential-helper username/password).

 ## Local Seed Repos (already initialized)

-1. `launcher` at `/Users/vsg/Documents/VSG Codex/launcher` (commit `b716b52`)
-2. `governance` at `/Users/vsg/Documents/VSG Codex/governance` (commit `12d5e7c`)
-3. `contracts` at `/Users/vsg/Documents/VSG Codex/contracts` (commit `082b29b`)
+1. `launcher` at `/Users/vsg/Documents/VSG Codex/launcher` (commit `caf06d2`)
+2. `governance` at `/Users/vsg/Documents/VSG Codex/governance` (commit `823f201`)
+3. `contracts` at `/Users/vsg/Documents/VSG Codex/contracts` (commit `dbac2f0`)

 ## Create Remote Repos

@ -24,13 +24,20 @@ curl -fsSL -H "Authorization: token <TOKEN>" -H "Content-Type: application/json"

 Repeat for `governance` and `contracts`.

-Or run the helper:
+Or run the helper with PAT:

 ```bash
 cd "/Users/vsg/Documents/VSG Codex/web"
 ./scripts/publish_split_repos.sh <gitea_pat>
 ```

+Or run it without arguments to use git credential helper auth for `git.workvsg.com`:
+
+```bash
+cd "/Users/vsg/Documents/VSG Codex/web"
+./scripts/publish_split_repos.sh
+```
+
 ## Push Local Seed Repos

 ```bash
--- a/scripts/publish_split_repos.sh
+++ b/scripts/publish_split_repos.sh
@ -1,15 +1,57 @@
 #!/usr/bin/env bash
 set -euo pipefail

-if [[ $# -lt 1 ]]; then
-  echo "Usage: $0 <gitea_pat> [org] [host]" >&2
-  exit 1
-fi
+usage() {
+  echo "Usage: $0 [gitea_pat] [org] [host]" >&2
+  echo "If gitea_pat is omitted, script tries git credential helper for host auth." >&2
+}

-TOKEN="$1"
+TOKEN="${1:-}"
 ORG="${2:-edut}"
 HOST="${3:-git.workvsg.com}"
 ROOT="/Users/vsg/Documents/VSG Codex"
+AUTH_MODE=""
+AUTH_USERNAME=""
+AUTH_PASSWORD=""
+
+init_auth() {
+  if [[ -n "$TOKEN" ]]; then
+    AUTH_MODE="token"
+    return
+  fi
+
+  local cred user pass
+  cred=$(printf 'protocol=https\nhost=%s\n\n' "$HOST" | git credential fill || true)
+  user=$(printf '%s\n' "$cred" | awk -F= '/^username=/{print $2}')
+  pass=$(printf '%s\n' "$cred" | awk -F= '/^password=/{print $2}')
+  if [[ -n "$user" && -n "$pass" ]]; then
+    AUTH_MODE="basic"
+    AUTH_USERNAME="$user"
+    AUTH_PASSWORD="$pass"
+    return
+  fi
+
+  usage
+  echo "No PAT provided and no git credentials found for ${HOST}." >&2
+  exit 1
+}
+
+curl_api() {
+  local method="$1"
+  local url="$2"
+  local data="${3:-}"
+  local -a cmd=(curl -sS -w "%{http_code}" -o /tmp/edut_api.out -X "$method")
+  if [[ "$AUTH_MODE" == "token" ]]; then
+    cmd+=(-H "Authorization: token ${TOKEN}")
+  else
+    cmd+=(-u "${AUTH_USERNAME}:${AUTH_PASSWORD}")
+  fi
+  if [[ -n "$data" ]]; then
+    cmd+=(-H 'Content-Type: application/json' -d "$data")
+  fi
+  cmd+=("$url")
+  "${cmd[@]}"
+}

 create_repo() {
  local name="$1"
@ -18,20 +60,24 @@ create_repo() {

  local api="https://${HOST}/api/v1/repos/${ORG}/${name}"
  local status
-  status=$(curl -sS -o /tmp/repo_check_${name}.json -w "%{http_code}" \
-    -H "Authorization: token ${TOKEN}" \
-    "$api")
+  status=$(curl_api "GET" "$api")

  if [[ "$status" == "200" ]]; then
    echo "Repo ${ORG}/${name} already exists"
    return
  fi
+  if [[ "$status" != "404" ]]; then
+    echo "Repo check failed for ${ORG}/${name} (status=${status})" >&2
+    cat /tmp/edut_api.out >&2 || true
+    exit 1
+  fi

-  curl -fsSL \
-    -H "Authorization: token ${TOKEN}" \
-    -H 'Content-Type: application/json' \
-    -X POST "https://${HOST}/api/v1/orgs/${ORG}/repos" \
-    -d "{\"name\":\"${name}\",\"private\":${private},\"description\":\"${desc}\"}" >/tmp/repo_create_${name}.json
+  status=$(curl_api "POST" "https://${HOST}/api/v1/orgs/${ORG}/repos" "{\"name\":\"${name}\",\"private\":${private},\"description\":\"${desc}\"}")
+  if [[ "$status" != "201" && "$status" != "200" ]]; then
+    echo "Repo create failed for ${ORG}/${name} (status=${status})" >&2
+    cat /tmp/edut_api.out >&2 || true
+    exit 1
+  fi

  echo "Created repo ${ORG}/${name}"
 }
@ -51,6 +97,8 @@ wire_and_push() {
  echo "Pushed ${local_dir} -> ${remote_url}"
 }

+init_auth
+
 create_repo "launcher" "true" "EDUT free launcher shell and wallet onboarding app"
 create_repo "governance" "true" "EDUT deterministic governance runtime"
 create_repo "contracts" "false" "EDUT membership and entitlement contracts"