name: Sync public mirror on: push: branches: [ main ] # change if your default branch is different jobs: sync: runs-on: ubuntu-latest steps: - name: Install tools (rsync) run: | sudo apt-get update && sudo apt-get install -y rsync - name: Checkout private repo uses: actions/checkout@v4 with: fetch-depth: 0 - name: Prepare SSH env: SSH_KEY: ${{ secrets.PUBLIC_REPO_SSH_KEY }} run: | set -euo pipefail mkdir -p ~/.ssh echo "$SSH_KEY" > ~/.ssh/id_sync chmod 600 ~/.ssh/id_sync printf 'Host 192.168.1.15\n HostName 192.168.1.15\n Port 22\n User git\n IdentityFile ~/.ssh/id_sync\n IdentitiesOnly yes\n' >> ~/.ssh/config ssh-keyscan -p 22 192.168.1.15 >> ~/.ssh/known_hosts - name: Clone public repo run: | git clone --depth 1 ssh://git@192.168.1.15:22/Bausager/Flux-oss.git /tmp/public - name: Sync files using .gitea/workflows/oss-keep.txt run: | set -euo pipefail KEEP_FILE=".gitea/workflows/oss-keep.txt" INCLUDE_FILE="$(pwd)/.oss-include.rsync" echo "Generating rsync include list from $KEEP_FILE" : > "$INCLUDE_FILE" echo "## Generated from $KEEP_FILE" >> "$INCLUDE_FILE" echo "+ */" >> "$INCLUDE_FILE" # allow directory traversal while IFS= read -r line; do line="${line%%#*}" # strip comments line="$(echo "$line" | xargs || true)" [ -z "$line" ] && continue case "$line" in !*) pat="${line#!}" echo "- $pat" >> "$INCLUDE_FILE" ;; *) echo "+ $line" >> "$INCLUDE_FILE" ;; esac done < "$KEEP_FILE" echo "- *" >> "$INCLUDE_FILE" # exclude everything else echo "Rsync include rules:" cat "$INCLUDE_FILE" # Sync only allowed files to the public repo rsync -a --delete --prune-empty-dirs \ --include-from="$INCLUDE_FILE" \ ./ /tmp/public/ cd /tmp/public git config user.name "Gitea CI" git config user.email "ci@bausager.org" git add -A if git diff --cached --quiet; then echo "No public-eligible changes to push." else echo "Pushing filtered subset to Flux-oss..." git commit -m "Sync public subset from Flux (private)" git push origin HEAD:main fi