mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
74 lines
2.9 KiB
Bash
Executable File
74 lines
2.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Sanitize-and-publish kql-to-pq to github.com/marcredhat/kql.
|
|
#
|
|
# Safety:
|
|
# - Bails if any tracked-or-untracked-but-not-ignored file contains a JWT
|
|
# ("eyJ" prefix) or the live SDL hostname's tenant id.
|
|
# - Initialises a fresh git repo (does NOT reuse the parent workspace repo).
|
|
# - Force-pushes to the marcredhat/kql remote.
|
|
#
|
|
# Requirements: git, gh OR a configured SSH/HTTPS credential helper.
|
|
|
|
set -euo pipefail
|
|
|
|
REMOTE="https://github.com/marcredhat/kql.git"
|
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
|
cd "$HERE"
|
|
|
|
echo "=================================================================="
|
|
echo "Step 1/5 Verify .gitignore covers secrets"
|
|
echo "=================================================================="
|
|
test -f .gitignore
|
|
grep -qE '^config\.json$' .gitignore && echo " config.json is gitignored ✓"
|
|
grep -qE '^reports/' .gitignore && echo " reports/* gitignored ✓"
|
|
|
|
echo
|
|
echo "=================================================================="
|
|
echo "Step 2/5 Scan all candidate-tracked files for secrets"
|
|
echo "=================================================================="
|
|
|
|
# Build the list of files git WOULD track (init temp repo, add ., ls-files)
|
|
TMP_GIT=$(mktemp -d)
|
|
git --git-dir="$TMP_GIT" --work-tree="$HERE" init -q
|
|
git --git-dir="$TMP_GIT" --work-tree="$HERE" add -A
|
|
# Match a full JWT shape (3 base64url segments joined by '.', at least 64
|
|
# chars total) rather than just the 'eyJ' prefix so this very script (which
|
|
# documents the prefix in its grep) doesn't false-positive on itself.
|
|
LEAKED=$(git --git-dir="$TMP_GIT" --work-tree="$HERE" ls-files | \
|
|
xargs -I{} grep -lE 'eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}' "{}" 2>/dev/null || true)
|
|
rm -rf "$TMP_GIT"
|
|
|
|
if [ -n "$LEAKED" ]; then
|
|
echo " ❌ JWT-like secret found in files that WOULD be committed:"
|
|
echo "$LEAKED" | sed 's/^/ /'
|
|
exit 1
|
|
fi
|
|
echo " No JWTs in any to-be-committed file ✓"
|
|
|
|
echo
|
|
echo "=================================================================="
|
|
echo "Step 3/5 Initialise fresh git repo inside $HERE"
|
|
echo "=================================================================="
|
|
rm -rf .git
|
|
git init -q -b main
|
|
git add -A
|
|
git -c user.email="marc@example.com" -c user.name="marc" \
|
|
commit -q -m "Initial commit: KQL ↔ SDL PowerQuery proof of equivalence"
|
|
|
|
echo " $(git log --oneline)"
|
|
echo " $(git ls-files | wc -l | tr -d ' ') files staged"
|
|
|
|
echo
|
|
echo "=================================================================="
|
|
echo "Step 4/5 Add remote $REMOTE"
|
|
echo "=================================================================="
|
|
git remote add origin "$REMOTE"
|
|
echo " remote: $(git remote -v | head -1)"
|
|
|
|
echo
|
|
echo "=================================================================="
|
|
echo "Step 5/5 Push (force) to origin main"
|
|
echo "=================================================================="
|
|
git push -u --force origin main
|
|
echo " ✓ Published to $REMOTE"
|