From 0999303cd32a52be7ddc9531d4e174bb08751fa1 Mon Sep 17 00:00:00 2001
From: Hein <hein@bitechsystems.co.za>
Date: Wed, 8 Apr 2026 17:02:10 +0200
Subject: [PATCH] chore(aur): enhance AUR SSH setup for key handling * Improve
 SSH key handling with support for raw, escaped, and base64-encoded keys * Add
 validation for AUR_SSH_KEY to ensure it's a valid private key * Update SSH
 command options for better security and reliability

---
 .gitea/workflows/release.yml | 42 +++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index efd9255..b0e63be 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -102,28 +102,45 @@ jobs:
         env:
           AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
         run: |
+          set -euo pipefail
+
           VERSION="${{ github.event.inputs.tag || github.ref_name }}"
           PKGVER="${VERSION#v}"
+          AUR_KEY_PATH="$HOME/.ssh/aur"
+          AUR_KNOWN_HOSTS="$HOME/.ssh/known_hosts"
 
           # Setup SSH for AUR
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
 
-          # Auto-detect: raw PEM key or base64-encoded key
-          if printf '%s' "$AUR_SSH_KEY" | grep -q "BEGIN"; then
-            printf '%b' "$AUR_SSH_KEY" > ~/.ssh/aur
-          else
-            printf '%s' "$AUR_SSH_KEY" | tr -d '[:space:]' | base64 -d > ~/.ssh/aur
+          if [ -z "${AUR_SSH_KEY:-}" ]; then
+            echo "AUR_SSH_KEY is empty"
+            exit 1
           fi
-          chmod 600 ~/.ssh/aur
 
-          # Diagnostics (no key content exposed)
-   
-          ssh-keygen -l -f ~/.ssh/aur && echo "Key is valid" || echo "Key is INVALID"
-          ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts
+          # Support raw multiline keys, escaped \\n secrets, or base64-encoded keys.
+          CLEAN_AUR_SSH_KEY="$(printf '%s' "$AUR_SSH_KEY" | tr -d '\r')"
+          if printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q "^-----BEGIN .*PRIVATE KEY-----$"; then
+            printf '%s\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
+          elif printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q '\\n'; then
+            printf '%b\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
+          else
+            printf '%s' "$CLEAN_AUR_SSH_KEY" | tr -d '[:space:]' | base64 --decode > "$AUR_KEY_PATH"
+          fi
+          chmod 600 "$AUR_KEY_PATH"
+
+          if ! ssh-keygen -y -f "$AUR_KEY_PATH" >/dev/null 2>&1; then
+            echo "AUR_SSH_KEY is not a valid private key."
+            echo "Store it as a raw private key, an escaped private key with \\n, or a base64-encoded private key."
+            exit 1
+          fi
+
+          ssh-keyscan -t rsa,ed25519 aur.archlinux.org >> "$AUR_KNOWN_HOSTS"
+          chmod 644 "$AUR_KNOWN_HOSTS"
 
           # Clone AUR repo
-          GIT_SSH_COMMAND="ssh -vvv -i ~/.ssh/aur" git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo
+          GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
+            git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo
 
           # Compute SHA256 of the release tarball (same URL the PKGBUILD will download)
           SHA=$(curl -fsSL "https://git.warky.dev/wdevs/unitdore/archive/v${PKGVER}.zip" | sha256sum | cut -d' ' -f1)
@@ -152,7 +169,8 @@ jobs:
           git config user.name "Hein"
           git add PKGBUILD .SRCINFO
           git commit -m "Update to v${PKGVER}"
-          GIT_SSH_COMMAND="ssh -vvv -i ~/.ssh/aur" git push origin HEAD:master
+          GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
+            git push origin HEAD:master
 
   pkg-deb:
     needs: release