From 89e53d9ec90f9189ed1cd82b4eef2d05524e35a7 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Tue, 31 Mar 2026 01:43:04 +0000
Subject: [PATCH] fix: Handle restricted B2 keys and safe JSON parsing in
 restore step

---
 .gitea/workflows/deploy.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 27731f7..7a70d60 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -335,20 +335,34 @@ jobs:
           B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
           B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}
         run: |
-          set -euo pipefail
           echo "Finding latest backup in B2..."
 
           CREDS=$(echo -n "${B2_ACCOUNT_ID}:${B2_APPLICATION_KEY}" | base64)
           AUTH_RESP=$(curl -sS -H "Authorization: Basic ${CREDS}" https://api.backblazeb2.com/b2api/v2/b2_authorize_account)
           API_URL=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['apiUrl'])")
           AUTH_TOKEN=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['authorizationToken'])")
-          BUCKET_ID=$(echo "$AUTH_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['allowed']['bucketId'])")
+          BUCKET_ID=$(echo "$AUTH_RESP" | python3 -c "
+          import json,sys
+          resp = json.load(sys.stdin)
+          bid = resp.get('allowed', {}).get('bucketId')
+          if bid:
+            print(bid)
+          else:
+            print('')
+          ")
+
+          if [ -z "$BUCKET_ID" ]; then
+            echo "Restricted B2 key - resolving bucket ID by name..."
+            BUCKET_ID=$(curl -sS -H "Authorization: Bearer ${AUTH_TOKEN}" \
+              "${API_URL}/b2api/v2/b2_list_buckets?accountId=${B2_ACCOUNT_ID}&bucketName=HetznerTerra" \
+              | python3 -c "import json,sys; buckets=json.load(sys.stdin).get('buckets',[]); print(buckets[0]['bucketId'] if buckets else '')")
+          fi
 
           LATEST=$(curl -sS -H "Authorization: Bearer ${AUTH_TOKEN}" \
             "${API_URL}/b2api/v2/b2_list_file_names?bucketId=${BUCKET_ID}&prefix=rancher-backups/&maxFileCount=100" \
             | python3 -c "
           import json,sys
-          files = json.load(sys.stdin)['files']
+          files = json.load(sys.stdin).get('files', [])
           tars = [f['fileName'] for f in files if f['fileName'].endswith('.tar.gz')]
           if not tars:
             print('NONE')