forgejo-ci-runners/.taskfiles/_scripts/push_token.sh

#!/usr/bin/env bash
# Prerequisites:
# 1password vault created with a single item in it with the property 'runner_token'.
# Define the vault and item used.
# Usage: ./push_token.sh <incus vm instance name>

set -euo pipefail

# Check if instance name is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <instance-name>" >&2
    exit 1
fi

INCUS_INSTANCE="$1"  # Use the provided instance name

# Set variables
OP_ITEM_NAME="forgejo-runner"  # Name of the 1Password item containing the runner token
OP_VAULT_NAME="forgejo-runner"  # Name of the 1Password vault
TOKEN_FILE="tokenfile"  # Name of the temporary file to store the token
INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE"

# Check if OP_SESSION environment variable exists, if not, sign in
if [ -z "${OP_SESSION:-}" ]; then
    echo "Not logged in to 1Password CLI. Attempting to sign in..."
    if ! eval $(op signin); then
        echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
        exit 1
    fi
fi

# Ensure the target directory exists in the Incus instance
#incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default
#incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default

# Retrieve the token from 1Password
TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token)

if [ -z "$TOKEN" ]; then
    echo "Failed to retrieve token from 1Password" >&2
    exit 1
fi

# Create the token file
echo "TOKEN=$TOKEN" > "$TOKEN_FILE"

# Push the file to Incus
echo "Running: incus file push $INCUS_PATH"
if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then
    echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE"
else
    echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2
    rm "$TOKEN_FILE"
    exit 1
fi

# Clean up the local token file
rm "$TOKEN_FILE"

echo "Operation completed successfully"