Spacebear Blog

Mirror Gitea Repos to Github via GitHook

Published: November 30, 2018

Mirroring Gitea to GitHub requires the use of githooks. Githooks allow scripted actions to take place when specific triggers happen, such as someone pushing to a git repository. In Gitea, an admin has to provide permissions to a user to be able to use githooks, as there are potential security risks associated with them. The security risk is that it will allow the trusted user to run any code they want on the server, so be careful when you give someone githook access.

The approach I’m going to describe is fragile, so it may break if you force push to Gitea, or make commits to GitHub directly. This means that if you want to accept contributions you’ll need to open up your Gitea instance to others for them to make pull requests there.

To set things up, I recommend making a secondary user on GitHub (or the other git service that will be mirrored to), as you’ll need to hardcode a password in the githook and if you put your main GitHub password it may be comprimised (by another Gitea admin, or someone with SSH access to the server that Gitea is running on). Next, for additional security steps instead of hardcoding your GitHub password in the githook, you can create a personal access token (GitLab, and Bitbucket also allow the creating of personal access tokens. Bitbucket calls them app tokens). Next, you’ll need to create an empty repository on GitHub so that Gitea will have a place to put the content.

Now to create the githook. In your repository on Gitea under settings you’ll see a tab for “Git Hooks”, and if you go to that you’ll see three githooks available, as we want to mirror the content after each push, you’ll need to go into the “post-recieve” hook to edit. Some more information you’ll need is the HTTPS clone path of the GitHub repository so Gitea will know where to mirror to. The next step is to add authentication information to the clone URL so that Gitea can push content to GitHub without manual intervention. To do this, combine the GitHub username (potentially a secondary account with access to the repository as described above), and its access token with a :, then add it to the clone URL after the https:// and add an @ after so git knows how to authenticate to GitHub.

So the full githook will look something like:

#!/bin/bash
export GIT_SSH_COMMAND="ssh -oStrictHostKeyChecking=no"
git push --mirror https://GITHUBMIRRORUSER:ACCESSTOKEN@github.com/username/repo.git

If you don’t want to use a personal access token, but instead use an SSH key the script would look something like the following:

#!/bin/bash
echo "PRIVKEY" > /tmp/gitea_id_rsa
chmod 600 /tmp/gitea_id_rsa
export GIT_SSH_COMMAND="ssh -oStrictHostKeyChecking=no -i /tmp/gitea_id_rsa"
git push --mirror git@github.com:username/repo.git
echo "" > /tmp/gitea_id_rsa

For the sake of security you may want to create a secondary user on GitHub that only has access to the repos it is mirroring.

Finally, start commiting to your repository on Gitea, and watch those commits be mirrored to GitHub.