ci(smoke): harden SSH key handling for gitea/github phase6 workflow

2026-03-05 09:39:33 -08:00
parent 465669fc1d
commit 61573d97f5
2 changed files with 30 additions and 6 deletions
--- a/.github/workflows/phase6-smoke.yml
+++ b/.github/workflows/phase6-smoke.yml
@@ -83,8 +83,19 @@ jobs:
          fi
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
-          printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          key_path=~/.ssh/noda1_ci_key
+          if printf '%s' "${SSH_PRIVATE_KEY}" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
+            printf '%s\n' "${SSH_PRIVATE_KEY}" | tr -d '\r' > "${key_path}"
+          else
+            # Support base64-encoded key payloads in secrets as a fallback.
+            printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | base64 --decode > "${key_path}"
+          fi
+          chmod 600 "${key_path}"
+          if ! ssh-keygen -y -f "${key_path}" >/dev/null 2>&1; then
+            echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
+            exit 1
+          fi
+          echo "SSH_KEY_PATH=${key_path}" >> "${GITHUB_ENV}"

      - name: Run phase6 smoke (retry once)
        shell: bash
@@ -95,8 +106,9 @@ jobs:
          for attempt in 1 2; do
            log="artifacts/phase6-smoke-attempt${attempt}.log"
            if ssh \
-              -i ~/.ssh/id_ed25519 \
+              -i "${SSH_KEY_PATH}" \
              -o BatchMode=yes \
+              -o IdentitiesOnly=yes \
              -o StrictHostKeyChecking=accept-new \
              -o ConnectTimeout=10 \
              "${SSH_USER}@${SSH_HOST}" \