wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
bb47afd01bbf510c7dc60d63fbde91cd2016b42e
awoooi/scripts/ci/check-gitea-step-env-secrets.js
Your Name ee2cc2bfc3
Some checks failed
CD Pipeline / tests (push) Failing after 1m23s
Details
CD Pipeline / build-and-deploy (push) Has been skipped
Details
CD Pipeline / post-deploy-checks (push) Has been skipped
Details
Code Review / ai-code-review (push) Successful in 15s
Details
fix(alerts): 收斂 Telegram 告警到 SRE 戰情室
2026-06-12 11:06:16 +08:00

84 lines
2.4 KiB
JavaScript
Executable File
Raw Blame History

#!/usr/bin/env node
/*
* Guard against putting secrets in Gitea step env/with blocks.
* Gitea/act_runner logs may render those blocks before masking is effective.
*/
const fs = require("fs");
const path = require("path");
const root = path.resolve(__dirname, "../..");
const workflowDir = path.join(root, ".gitea", "workflows");
const violations = [];
const routeViolations = [];
for (const fileName of fs.readdirSync(workflowDir).sort()) {
if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
continue;
}
const filePath = path.join(workflowDir, fileName);
const content = fs.readFileSync(filePath, "utf8");
const lines = content.split(/\r?\n/);
let block = null;
if (content.includes("TELEGRAM_ALERT_CHAT_ID")) {
routeViolations.push(`${filePath}: legacy TELEGRAM_ALERT_CHAT_ID is not allowed; use SRE_GROUP_CHAT_ID`);
}
if (content.includes("TELEGRAM_CHAT_ID")) {
routeViolations.push(`${filePath}: legacy TELEGRAM_CHAT_ID is not allowed for alert routing; use SRE_GROUP_CHAT_ID`);
}
let lineOffset = 0;
lines.forEach((line, index) => {
if (
line.includes("api.telegram.org/bot")
&& !content.slice(Math.max(0, lineOffset - 700), lineOffset + line.length + 1200).includes("SRE_GROUP_CHAT_ID")
) {
routeViolations.push(`${filePath}:${index + 1}: direct Telegram fallback must target SRE_GROUP_CHAT_ID`);
}
lineOffset += line.length + 1;
});
lines.forEach((line, index) => {
const indent = line.match(/^\s*/)[0].length;
const trimmed = line.trim();
if (block && trimmed && indent <= block.indent) {
block = null;
}
const blockMatch = line.match(/^(\s*)(env|with):\s*$/);
if (blockMatch) {
block = {
indent: blockMatch[1].length,
section: blockMatch[2],
};
return;
}
if (block && line.includes("${{ secrets.")) {
violations.push(`${filePath}:${index + 1}:${block.section}`);
}
});
}
if (violations.length > 0) {
console.error("Gitea workflow exposes secrets through step env/with:");
for (const violation of violations) {
console.error(` - ${violation}`);
}
process.exit(1);
}
if (routeViolations.length > 0) {
console.error("Gitea workflow Telegram route must converge on AwoooI SRE war room:");
for (const violation of routeViolations) {
console.error(` - ${violation}`);
}
process.exit(1);
}
console.log("no Gitea step env/with secrets or legacy Telegram routes");
Reference in New Issue View Git Blame Copy Permalink