This commit is contained in:
edsea
@@ -29,6 +29,8 @@ jobs:
|
||||
KEEP_N: "5"
|
||||
HEALTH_URL: https://stellaamor.com/
|
||||
SERVICE_RELOAD: "systemctl reload apache2 || true"
|
||||
SSH_KEY_PATH: /home/gitea-runner/.ssh/id_ed25519
|
||||
|
||||
|
||||
steps:
|
||||
- name: Checkout (pure git)
|
||||
@@ -38,39 +40,6 @@ jobs:
|
||||
git fetch --depth=1 origin "$GITHUB_SHA"
|
||||
git checkout -q "$GITHUB_SHA"
|
||||
|
||||
- name: Prepare isolated SSH dir
|
||||
run: |
|
||||
set -e
|
||||
SSH_DIR="$(mktemp -d)"
|
||||
echo "SSH_DIR=$SSH_DIR" >> $GITHUB_ENV
|
||||
echo "SSH_KEY_PATH=$SSH_DIR/key" >> $GITHUB_ENV
|
||||
install -m 700 -d "$SSH_DIR"
|
||||
|
||||
- name: Write SSH key
|
||||
env:
|
||||
SSH_KEY_STELLAAMOR: ${{ secrets.SSH_KEY_STELLAAMOR }}
|
||||
run: |
|
||||
set -e
|
||||
umask 177
|
||||
printf '%s' "$SSH_KEY_STELLAAMOR" > "$SSH_KEY_PATH"
|
||||
chmod 600 "$SSH_KEY_PATH"
|
||||
|
||||
- name: Validate private key & show fingerprint
|
||||
run: |
|
||||
set -euo pipefail
|
||||
ls -l ~/.ssh
|
||||
# Check permissions
|
||||
test -f ~/.ssh/deploy_stellaamor && chmod 600 ~/.ssh/deploy_stellaamor
|
||||
# Fail if the key is passphrase-protected (ssh-keygen -y would prompt/fail)
|
||||
if ! PUB=$(ssh-keygen -y -f ~/.ssh/deploy_stellaamor 2>/dev/null); then
|
||||
echo "❌ The private key appears to be passphrase-protected or invalid."
|
||||
exit 1
|
||||
fi
|
||||
echo "$PUB" > ~/.ssh/deploy_stellaamor.pub
|
||||
ssh-keygen -lf ~/.ssh/deploy_stellaamor.pub
|
||||
|
||||
|
||||
|
||||
- name: SSH smoke test
|
||||
run: ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user