ci(smoke): harden SSH key handling for gitea/github phase6 workflow
This commit is contained in:
Apple
@@ -77,8 +77,19 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
chmod 700 ~/.ssh
|
chmod 700 ~/.ssh
|
||||||
printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
|
key_path=~/.ssh/noda1_ci_key
|
||||||
chmod 600 ~/.ssh/id_ed25519
|
if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
|
||||||
|
printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path"
|
||||||
|
else
|
||||||
|
# Support base64-encoded key payloads in secrets as a fallback.
|
||||||
|
printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path"
|
||||||
|
fi
|
||||||
|
chmod 600 "$key_path"
|
||||||
|
if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then
|
||||||
|
echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
- name: Run phase6 smoke (retry once)
|
- name: Run phase6 smoke (retry once)
|
||||||
shell: bash
|
shell: bash
|
||||||
@@ -89,8 +100,9 @@ jobs:
|
|||||||
for attempt in 1 2; do
|
for attempt in 1 2; do
|
||||||
log="artifacts/phase6-smoke-attempt${attempt}.log"
|
log="artifacts/phase6-smoke-attempt${attempt}.log"
|
||||||
if ssh \
|
if ssh \
|
||||||
-i ~/.ssh/id_ed25519 \
|
-i "${SSH_KEY_PATH}" \
|
||||||
-o BatchMode=yes \
|
-o BatchMode=yes \
|
||||||
|
-o IdentitiesOnly=yes \
|
||||||
-o StrictHostKeyChecking=accept-new \
|
-o StrictHostKeyChecking=accept-new \
|
||||||
-o ConnectTimeout=10 \
|
-o ConnectTimeout=10 \
|
||||||
"${SSH_USER}@${SSH_HOST}" \
|
"${SSH_USER}@${SSH_HOST}" \
|
||||||
|
|||||||
18
.github/workflows/phase6-smoke.yml
vendored
18
.github/workflows/phase6-smoke.yml
vendored
@@ -83,8 +83,19 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
chmod 700 ~/.ssh
|
chmod 700 ~/.ssh
|
||||||
printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
|
key_path=~/.ssh/noda1_ci_key
|
||||||
chmod 600 ~/.ssh/id_ed25519
|
if printf '%s' "${SSH_PRIVATE_KEY}" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
|
||||||
|
printf '%s\n' "${SSH_PRIVATE_KEY}" | tr -d '\r' > "${key_path}"
|
||||||
|
else
|
||||||
|
# Support base64-encoded key payloads in secrets as a fallback.
|
||||||
|
printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | base64 --decode > "${key_path}"
|
||||||
|
fi
|
||||||
|
chmod 600 "${key_path}"
|
||||||
|
if ! ssh-keygen -y -f "${key_path}" >/dev/null 2>&1; then
|
||||||
|
echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "SSH_KEY_PATH=${key_path}" >> "${GITHUB_ENV}"
|
||||||
|
|
||||||
- name: Run phase6 smoke (retry once)
|
- name: Run phase6 smoke (retry once)
|
||||||
shell: bash
|
shell: bash
|
||||||
@@ -95,8 +106,9 @@ jobs:
|
|||||||
for attempt in 1 2; do
|
for attempt in 1 2; do
|
||||||
log="artifacts/phase6-smoke-attempt${attempt}.log"
|
log="artifacts/phase6-smoke-attempt${attempt}.log"
|
||||||
if ssh \
|
if ssh \
|
||||||
-i ~/.ssh/id_ed25519 \
|
-i "${SSH_KEY_PATH}" \
|
||||||
-o BatchMode=yes \
|
-o BatchMode=yes \
|
||||||
|
-o IdentitiesOnly=yes \
|
||||||
-o StrictHostKeyChecking=accept-new \
|
-o StrictHostKeyChecking=accept-new \
|
||||||
-o ConnectTimeout=10 \
|
-o ConnectTimeout=10 \
|
||||||
"${SSH_USER}@${SSH_HOST}" \
|
"${SSH_USER}@${SSH_HOST}" \
|
||||||
|
|||||||
Reference in New Issue
Block a user