From 0e9db26d14cee96763efe75f175e14a51f02efbc Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Tue, 20 Jan 2026 13:09:51 -0500
Subject: [PATCH] Harden SSH setup in workflow

---
 .forgejo/workflows/deploy.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 70e3eac..8254053 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -22,8 +22,24 @@ jobs:
           SERVICE_HOST: ${{ secrets.SERVICE_HOST }}
         run: |
           set -euo pipefail
+
+          if ! command -v ssh >/dev/null 2>&1; then
+            if command -v apk >/dev/null 2>&1; then
+              apk add --no-cache openssh-client
+            elif command -v apt-get >/dev/null 2>&1; then
+              apt-get update
+              apt-get install -y openssh-client
+            else
+              echo "ssh client not found and no known package manager available" >&2
+              exit 1
+            fi
+          fi
+
+          : "${SERVICE_HOST:?Missing secret SERVICE_HOST}"
+          : "${SERVICE_SSH_KEY:?Missing secret SERVICE_SSH_KEY}"
+
           mkdir -p ~/.ssh
-          printf '%s\n' "$SERVICE_SSH_KEY" > ~/.ssh/id_ed25519
+          printf '%s\n' "$SERVICE_SSH_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan -H "$SERVICE_HOST" >> ~/.ssh/known_hosts