From 61573d97f5c1c216db95eb7654ca2806832542ed Mon Sep 17 00:00:00 2001
From: Apple <apple@MacBook-Pro.local>
Date: Thu, 5 Mar 2026 09:39:33 -0800
Subject: [PATCH] ci(smoke): harden SSH key handling for gitea/github phase6
 workflow

---
 .gitea/workflows/phase6-smoke.yml  | 18 +++++++++++++++---
 .github/workflows/phase6-smoke.yml | 18 +++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/phase6-smoke.yml b/.gitea/workflows/phase6-smoke.yml
index 316d98c2..77ae1c11 100644
--- a/.gitea/workflows/phase6-smoke.yml
+++ b/.gitea/workflows/phase6-smoke.yml
@@ -77,8 +77,19 @@ jobs:
           fi
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
-          printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          key_path=~/.ssh/noda1_ci_key
+          if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
+            printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path"
+          else
+            # Support base64-encoded key payloads in secrets as a fallback.
+            printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path"
+          fi
+          chmod 600 "$key_path"
+          if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then
+            echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
+            exit 1
+          fi
+          echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV"
 
       - name: Run phase6 smoke (retry once)
         shell: bash
@@ -89,8 +100,9 @@ jobs:
           for attempt in 1 2; do
             log="artifacts/phase6-smoke-attempt${attempt}.log"
             if ssh \
-              -i ~/.ssh/id_ed25519 \
+              -i "${SSH_KEY_PATH}" \
               -o BatchMode=yes \
+              -o IdentitiesOnly=yes \
               -o StrictHostKeyChecking=accept-new \
               -o ConnectTimeout=10 \
               "${SSH_USER}@${SSH_HOST}" \
diff --git a/.github/workflows/phase6-smoke.yml b/.github/workflows/phase6-smoke.yml
index 067d8d56..178db9a2 100644
--- a/.github/workflows/phase6-smoke.yml
+++ b/.github/workflows/phase6-smoke.yml
@@ -83,8 +83,19 @@ jobs:
           fi
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
-          printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          key_path=~/.ssh/noda1_ci_key
+          if printf '%s' "${SSH_PRIVATE_KEY}" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
+            printf '%s\n' "${SSH_PRIVATE_KEY}" | tr -d '\r' > "${key_path}"
+          else
+            # Support base64-encoded key payloads in secrets as a fallback.
+            printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | base64 --decode > "${key_path}"
+          fi
+          chmod 600 "${key_path}"
+          if ! ssh-keygen -y -f "${key_path}" >/dev/null 2>&1; then
+            echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
+            exit 1
+          fi
+          echo "SSH_KEY_PATH=${key_path}" >> "${GITHUB_ENV}"
 
       - name: Run phase6 smoke (retry once)
         shell: bash
@@ -95,8 +106,9 @@ jobs:
           for attempt in 1 2; do
             log="artifacts/phase6-smoke-attempt${attempt}.log"
             if ssh \
-              -i ~/.ssh/id_ed25519 \
+              -i "${SSH_KEY_PATH}" \
               -o BatchMode=yes \
+              -o IdentitiesOnly=yes \
               -o StrictHostKeyChecking=accept-new \
               -o ConnectTimeout=10 \
               "${SSH_USER}@${SSH_HOST}" \