Harden SSH setup in workflow

2026-01-20 13:09:51 -05:00 · 2026-01-20 13:09:51 -05:00 · 0e9db26d14
commit 0e9db26d14
parent f76123f4c3
1 changed files with 17 additions and 1 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -22,8 +22,24 @@ jobs:
          SERVICE_HOST: ${{ secrets.SERVICE_HOST }}
        run: |
          set -euo pipefail
+
+          if ! command -v ssh >/dev/null 2>&1; then
+            if command -v apk >/dev/null 2>&1; then
+              apk add --no-cache openssh-client
+            elif command -v apt-get >/dev/null 2>&1; then
+              apt-get update
+              apt-get install -y openssh-client
+            else
+              echo "ssh client not found and no known package manager available" >&2
+              exit 1
+            fi
+          fi
+
+          : "${SERVICE_HOST:?Missing secret SERVICE_HOST}"
+          : "${SERVICE_SSH_KEY:?Missing secret SERVICE_SSH_KEY}"
+
          mkdir -p ~/.ssh
-          printf '%s\n' "$SERVICE_SSH_KEY" > ~/.ssh/id_ed25519
+          printf '%s\n' "$SERVICE_SSH_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H "$SERVICE_HOST" >> ~/.ssh/known_hosts