eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/mise-tasks/mirror-create
Erich Blume 84338c32c2 Add authenticated GitHub PAT for Forgejo mirror sync (#269) 
## Summary

- **mirror-create**: Auto-includes GitHub PAT from 1Password for authenticated upstream fetches at mirror creation time
- **mirror-update-pats**: New mise task that SSHes into indri and rewrites the git remote URL in every GitHub mirror's bare repo config to embed the PAT. Idempotent, supports `--dry-run`
- **app.ini.j2**: Explicit `[mirror]` section with `DEFAULT_INTERVAL = 8h` and `MIN_INTERVAL = 10m` (bakes in the defaults for visibility)
- **manage-forgejo-mirrors**: New how-to doc covering mirror creation, PAT storage, the `mirror-update-pats` task, and the full 20-day PAT rotation procedure

## Context

GitHub tightened unauthenticated rate limits for git clone/fetch in May 2025. With 23 GitHub mirrors syncing every 8 hours, authenticated fetches avoid throttling. The PAT is stored in 1Password (`Forgejo Secrets` → `github-mirror-pat`) and has been applied to all existing mirrors.

## Deployment and Testing

- [x] `mirror-update-pats` dry-run verified (23 mirrors detected)
- [x] `mirror-update-pats` applied to all 23 GitHub mirrors on indri
- [x] Idempotency confirmed (re-run shows 0 updated, 23 skipped)
- [ ] Provision indri with `--tags forgejo` to apply `[mirror]` config
- [ ] Trigger a manual mirror sync and verify success in Forgejo UI

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/269
2026-02-25 20:20:23 -08:00

80 lines
2.3 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#MISE description="Create a new upstream mirror in the mirrors/ Forgejo org"
#USAGE arg "<url>" help="Upstream git URL to mirror (e.g. https://github.com/org/repo.git)"
#USAGE flag "--name <name>" help="Repository name on forge (default: derived from URL)"
#USAGE flag "--description <description>" help="Repository description"
#USAGE flag "--dry-run" help="Show what would be done without creating"
set -euo pipefail
FORGE_API="https://forge.ops.eblu.me/api/v1"
ORG="mirrors"
OP_TOKEN_REF="op://blumeops/w3663ffnvkewbftncqxtcpeavy/api-token"
OP_GITHUB_PAT_REF="op://blumeops/w3663ffnvkewbftncqxtcpeavy/github-mirror-pat"
url="${usage_url:?}"
# Derive repo name from URL if not provided
if [[ -n "${usage_name:-}" ]]; then
repo_name="${usage_name}"
else
# Strip trailing .git and extract last path component
repo_name="$(basename "$url" .git)"
fi
description="${usage_description:-}"
# Detect service type from URL
service="git"
case "$url" in
*github.com*) service="github" ;;
*codeberg.org*) service="gitea" ;;
*forgejo.org*) service="gitea" ;;
esac
echo "Mirror: $url"
echo "Forge repo: $ORG/$repo_name"
echo "Service: $service"
[[ -n "$description" ]] && echo "Description: $description"
echo
if [[ "${usage_dry_run:-}" == "true" ]]; then
echo "[dry-run] Would create mirror at ${FORGE_API}/repos/migrate"
exit 0
fi
echo "Reading secrets from 1Password..."
token="$(op read "$OP_TOKEN_REF")"
# For GitHub upstreams, include the PAT for authenticated sync
auth_token=""
if [[ "$service" == "github" ]]; then
auth_token="$(op read "$OP_GITHUB_PAT_REF")"
echo "Using GitHub PAT for authenticated mirror sync"
fi
payload=$(cat <<ENDJSON
{
"clone_addr": "$url",
"repo_name": "$repo_name",
"repo_owner": "$ORG",
"mirror": true,
"service": "$service",
"description": "$description",
"auth_token": "$auth_token"
}
ENDJSON
)
http_code=$(curl -s -o /tmp/mirror-create-response.json -w "%{http_code}" \
-X POST "${FORGE_API}/repos/migrate" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "$payload")
if [[ "$http_code" == "201" ]]; then
echo "Created mirror: https://forge.ops.eblu.me/${ORG}/${repo_name}"
else
echo "Error (HTTP $http_code):"
cat /tmp/mirror-create-response.json
exit 1
fi
Reference in a new issue View git blame Copy permalink