fix: support base64 SSH private keys in workflows
All checks were successful
Terraform Plan / Terraform Plan (push) Successful in 17s
All checks were successful
Terraform Plan / Terraform Plan (push) Successful in 17s
This commit is contained in:
@@ -32,19 +32,35 @@ jobs:
|
|||||||
- name: Create SSH key
|
- name: Create SSH key
|
||||||
run: |
|
run: |
|
||||||
install -m 0700 -d ~/.ssh
|
install -m 0700 -d ~/.ssh
|
||||||
|
KEY_SOURCE=""
|
||||||
|
KEY_CONTENT=""
|
||||||
|
KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
|
||||||
|
if [ -n "$KEY_B64" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
|
||||||
|
KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -n "$KEY_CONTENT" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
||||||
|
KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -z "$KEY_CONTENT" ]; then
|
||||||
echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
|
echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
||||||
chmod 0600 ~/.ssh/id_ed25519
|
chmod 0600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
|
||||||
|
echo "Invalid private key content from $KEY_SOURCE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Set up Terraform
|
- name: Set up Terraform
|
||||||
uses: hashicorp/setup-terraform@v2
|
uses: hashicorp/setup-terraform@v2
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -32,19 +32,35 @@ jobs:
|
|||||||
- name: Create SSH key
|
- name: Create SSH key
|
||||||
run: |
|
run: |
|
||||||
install -m 0700 -d ~/.ssh
|
install -m 0700 -d ~/.ssh
|
||||||
|
KEY_SOURCE=""
|
||||||
|
KEY_CONTENT=""
|
||||||
|
KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
|
||||||
|
if [ -n "$KEY_B64" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
|
||||||
|
KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -n "$KEY_CONTENT" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
||||||
|
KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -z "$KEY_CONTENT" ]; then
|
||||||
echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
|
echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
||||||
chmod 0600 ~/.ssh/id_ed25519
|
chmod 0600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
|
||||||
|
echo "Invalid private key content from $KEY_SOURCE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Set up Terraform
|
- name: Set up Terraform
|
||||||
uses: hashicorp/setup-terraform@v2
|
uses: hashicorp/setup-terraform@v2
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -75,19 +75,35 @@ jobs:
|
|||||||
- name: Create SSH key
|
- name: Create SSH key
|
||||||
run: |
|
run: |
|
||||||
install -m 0700 -d ~/.ssh
|
install -m 0700 -d ~/.ssh
|
||||||
|
KEY_SOURCE=""
|
||||||
|
KEY_CONTENT=""
|
||||||
|
KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
|
||||||
|
if [ -n "$KEY_B64" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
|
||||||
|
KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -n "$KEY_CONTENT" ]; then
|
||||||
|
KEY_SOURCE="SSH_KEY_PRIVATE"
|
||||||
|
else
|
||||||
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
|
||||||
|
KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$KEY_CONTENT" ]; then
|
if [ -z "$KEY_CONTENT" ]; then
|
||||||
echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
|
echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
|
||||||
chmod 0600 ~/.ssh/id_ed25519
|
chmod 0600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
|
||||||
|
echo "Invalid private key content from $KEY_SOURCE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Verify SSH keypair match
|
- name: Verify SSH keypair match
|
||||||
run: |
|
run: |
|
||||||
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/tmp/key.pub 2>/tmp/key.err; then
|
if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/tmp/key.pub 2>/tmp/key.err; then
|
||||||
|
|||||||
Reference in New Issue
Block a user