diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 131a214..28ab80e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,10 +20,15 @@ # Auth notes: # - The image build/push uses $CI_JOB_TOKEN, which GitLab provides # automatically. No credentials need to be configured. -# - The reverse mirror requires a GitHub personal access token stored -# as the GitLab CI/CD variable GITHUB_MIRROR_TOKEN (Protected + Masked). -# Scope: public_repo (or repo for private). If the variable isn't -# set the mirror job is skipped — image builds still run. +# - The reverse mirror authenticates to GitHub via a per-repo SSH +# deploy key. The private half is stored as the File-type GitLab +# CI/CD variable GITHUB_MIRROR_SSH_KEY (Protected). The matching +# public key is added to github.com/BigBodyCobain/Shadowbroker/ +# settings/keys with write access. This is a tighter-scoped +# replacement for a personal access token: it can ONLY push to +# Shadowbroker, never expires, and rotating it is a one-click +# delete on GitHub's deploy-keys page. If the variable isn't set, +# the mirror job is skipped — image builds still run. stages: - build @@ -101,18 +106,35 @@ build-frontend: - .gitlab-ci.yml # ── Reverse mirror to GitHub ───────────────────────────────────────────── -# Pushes refs/heads/main to github.com/BigBodyCobain/Shadowbroker. -# Fast-forward-only — if GitLab main and GitHub main have diverged, this -# fails loudly rather than silently overwriting either side. +# Pushes refs/heads/main to github.com/BigBodyCobain/Shadowbroker via SSH +# using a per-repo deploy key. Fast-forward-only by default — if GitLab +# main and GitHub main have diverged, the push fails loudly rather than +# silently overwriting either side. # -# Only runs if GITHUB_MIRROR_TOKEN is set as a CI/CD variable. See the -# header comment of this file for setup instructions. +# Only runs if GITHUB_MIRROR_SSH_KEY is set as a File-type CI/CD variable. +# See the header comment of this file for setup instructions. mirror-to-github: stage: mirror image: alpine:3.20 needs: [] before_script: - apk add --no-cache git openssh-client ca-certificates + - mkdir -p ~/.ssh + - chmod 700 ~/.ssh + # Install the deploy key. File-type CI variable exposes the path; copy + # to ~/.ssh/id_ed25519 with restrictive perms so ssh accepts it. + - cp "$GITHUB_MIRROR_SSH_KEY" ~/.ssh/id_ed25519 + - chmod 600 ~/.ssh/id_ed25519 + # Pin github.com's current host keys so we never trust a man-in-the- + # middle. Sourced from https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints + # (rotated 2023-03-24 after the previous RSA key leak). + - | + cat > ~/.ssh/known_hosts <<'EOF' + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= + EOF + - chmod 644 ~/.ssh/known_hosts script: - git config --global user.email "ci-mirror@gitlab.com" - git config --global user.name "GitLab CI Mirror" @@ -123,7 +145,7 @@ mirror-to-github: - cd repo - > git push - "https://x-access-token:${GITHUB_MIRROR_TOKEN}@github.com/BigBodyCobain/Shadowbroker.git" + "git@github.com:BigBodyCobain/Shadowbroker.git" "${CI_COMMIT_SHA}:refs/heads/main" rules: - - if: $CI_COMMIT_BRANCH == "main" && $GITHUB_MIRROR_TOKEN + - if: $CI_COMMIT_BRANCH == "main" && $GITHUB_MIRROR_SSH_KEY