fsfe-website/build.entrypoint.sh

#!/usr/bin/env bash
set -euo pipefail
# Ran by dockerfile as entrypoint
# Ran from the volume of the website source mounted at /website-source

# Load sshkeys
if [ -f /run/secrets/FSFE_WEBSITE_KEY_PRIVATE ] && [ "$(cat /run/secrets/FSFE_WEBSITE_KEY_PRIVATE)" != "none" ]; then

	# Start ssh-agent
	eval "$(ssh-agent)"

	# Create config file with required keys
	mkdir -p ~/.ssh
	echo "AddKeysToAgent yes" >~/.ssh/config
	# Tighten permissions to keep ssh-add happy
	chmod 400 /run/secrets/FSFE_WEBSITE_KEY_*
	PASSWORD="$(cat "/run/secrets/FSFE_WEBSITE_KEY_PASSWORD")"
	PRIVATE="$(cat "/run/secrets/FSFE_WEBSITE_KEY_PRIVATE")"
	# Really should be able to just read from the private path, but for some reason ssh-add fails when using the actual path
	# But works when you cat the path into another file and then load it
	# Or cat the file and pipe it in through stdin
	# Piping stdin to an expect command is quite complex, so we just make and remove a temporary key file.
	# Absolutely bizarre, and not quite ideal security wise
	echo "$PRIVATE" >/tmp/key
	chmod 600 /tmp/key

	# Use our wrapper expect script to handle interactive input
	./exp.exp "$PASSWORD" ssh-add "/tmp/key"
	rm /tmp/key
	echo "SSH Key Loaded"
else
	echo "Secret not defined!"
fi

if [ -f /run/secrets/FSFE_WEBSITE_GIT_TOKEN ] && [ "$(cat /run/secrets/FSFE_WEBSITE_GIT_TOKEN)" != "none" ]; then
	FSFE_WEBSITE_GIT_TOKEN="$(cat "/run/secrets/FSFE_WEBSITE_GIT_TOKEN")"
	export FSFE_WEBSITE_GIT_TOKEN
fi

# Rsync files over, do not use the mtimes as they are wrong due to docker shenanigans
# Use the .gitignore as a filter to not remove any files generated by previous runs
rsync -rlpgoDz --delete --checksum --filter=':- .gitignore' ./ /website-cached/source

# Change to source repo
cd /website-cached/source

# run build script expaning all args passed to this script
uv run --reinstall-package fsfe_website_build build "$@"