From 2d9d6cdcd581702af279382f8648d1001a1ef3ec Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Sat, 28 Feb 2026 17:57:58 +0000 Subject: [PATCH] fix: normalize escaped SSH private key secrets --- .gitea/workflows/kubeadm-bootstrap.yml | 2 +- .gitea/workflows/kubeadm-reset.yml | 2 +- .gitea/workflows/terraform-apply.yml | 19 ++++++++++++++++--- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/kubeadm-bootstrap.yml b/.gitea/workflows/kubeadm-bootstrap.yml index bd44515..55ed3c3 100644 --- a/.gitea/workflows/kubeadm-bootstrap.yml +++ b/.gitea/workflows/kubeadm-bootstrap.yml @@ -42,7 +42,7 @@ jobs: exit 1 fi - printf '%s\n' "$KEY_CONTENT" | tr -d '\r' > ~/.ssh/id_ed25519 + KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")' chmod 0600 ~/.ssh/id_ed25519 - name: Set up Terraform diff --git a/.gitea/workflows/kubeadm-reset.yml b/.gitea/workflows/kubeadm-reset.yml index 61676f5..d11d369 100644 --- a/.gitea/workflows/kubeadm-reset.yml +++ b/.gitea/workflows/kubeadm-reset.yml @@ -42,7 +42,7 @@ jobs: exit 1 fi - printf '%s\n' "$KEY_CONTENT" | tr -d '\r' > ~/.ssh/id_ed25519 + KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")' chmod 0600 ~/.ssh/id_ed25519 - name: Set up Terraform diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml index 081f761..b396e3b 100644 --- a/.gitea/workflows/terraform-apply.yml +++ b/.gitea/workflows/terraform-apply.yml @@ -85,13 +85,26 @@ jobs: exit 1 fi - printf '%s\n' "$KEY_CONTENT" | tr -d '\r' > ~/.ssh/id_ed25519 + KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")' chmod 0600 ~/.ssh/id_ed25519 - name: Verify SSH keypair match run: | - PRIV_FP="$(ssh-keygen -y -f ~/.ssh/id_ed25519 | ssh-keygen -lf - | awk '{print $2}')" - PUB_FP="$(printf '%s\n' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r' | ssh-keygen -lf - | awk '{print $2}')" + if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/tmp/key.pub 2>/tmp/key.err; then + echo "Invalid private key content in SSH_KEY_PRIVATE/KUBEADM_SSH_PRIVATE_KEY" + cat /tmp/key.err + exit 1 + fi + + printf '%s\n' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r' > /tmp/secret.pub + if ! ssh-keygen -lf /tmp/secret.pub >/tmp/secret.fp 2>/tmp/secret.err; then + echo "Invalid SSH_KEY_PUBLIC format" + cat /tmp/secret.err + exit 1 + fi + + PRIV_FP="$(ssh-keygen -lf /tmp/key.pub | awk '{print $2}')" + PUB_FP="$(awk '{print $2}' /tmp/secret.fp)" echo "private fingerprint: $PRIV_FP" echo "public fingerprint: $PUB_FP"