wdevs/unitdore
5
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

chore(aur): enhance AUR SSH setup for key handling

Browse Source 
* Improve SSH key handling with support for raw, escaped, and base64-encoded keys
* Add validation for AUR_SSH_KEY to ensure it's a valid private key
* Update SSH command options for better security and reliability
This commit is contained in:
Hein
2026-04-08 17:02:10 +02:00
parent 384c4592d1
commit 0999303cd3
1 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.gitea/workflows/release.yml
View File

@@ -102,28 +102,45 @@ jobs:
env: env:
AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }} AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
run: | run: |
set -euo pipefail
VERSION="${{ github.event.inputs.tag || github.ref_name }}" VERSION="${{ github.event.inputs.tag || github.ref_name }}"
PKGVER="${VERSION#v}" PKGVER="${VERSION#v}"
AUR_KEY_PATH="$HOME/.ssh/aur"
AUR_KNOWN_HOSTS="$HOME/.ssh/known_hosts"
# Setup SSH for AUR # Setup SSH for AUR
mkdir -p ~/.ssh mkdir -p ~/.ssh
chmod 700 ~/.ssh chmod 700 ~/.ssh
# Auto-detect: raw PEM key or base64-encoded key if [ -z "${AUR_SSH_KEY:-}" ]; then
if printf '%s' "$AUR_SSH_KEY" | grep -q "BEGIN"; then echo "AUR_SSH_KEY is empty"
printf '%b' "$AUR_SSH_KEY" > ~/.ssh/aur exit 1
else
printf '%s' "$AUR_SSH_KEY" | tr -d '[:space:]' | base64 -d > ~/.ssh/aur
fi fi
chmod 600 ~/.ssh/aur
# Diagnostics (no key content exposed) # Support raw multiline keys, escaped \\n secrets, or base64-encoded keys.
CLEAN_AUR_SSH_KEY="$(printf '%s' "$AUR_SSH_KEY" | tr -d '\r')"
ssh-keygen -l -f ~/.ssh/aur && echo "Key is valid" || echo "Key is INVALID" if printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q "^-----BEGIN .*PRIVATE KEY-----$"; then
ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts printf '%s\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
elif printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q '\\n'; then
printf '%b\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
else
printf '%s' "$CLEAN_AUR_SSH_KEY" | tr -d '[:space:]' | base64 --decode > "$AUR_KEY_PATH"
fi
chmod 600 "$AUR_KEY_PATH"
if ! ssh-keygen -y -f "$AUR_KEY_PATH" >/dev/null 2>&1; then
echo "AUR_SSH_KEY is not a valid private key."
echo "Store it as a raw private key, an escaped private key with \\n, or a base64-encoded private key."
exit 1
fi
ssh-keyscan -t rsa,ed25519 aur.archlinux.org >> "$AUR_KNOWN_HOSTS"
chmod 644 "$AUR_KNOWN_HOSTS"
# Clone AUR repo # Clone AUR repo
GIT_SSH_COMMAND="ssh -vvv -i ~/.ssh/aur" git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo
# Compute SHA256 of the release tarball (same URL the PKGBUILD will download) # Compute SHA256 of the release tarball (same URL the PKGBUILD will download)
SHA=$(curl -fsSL "https://git.warky.dev/wdevs/unitdore/archive/v${PKGVER}.zip" | sha256sum | cut -d' ' -f1) SHA=$(curl -fsSL "https://git.warky.dev/wdevs/unitdore/archive/v${PKGVER}.zip" | sha256sum | cut -d' ' -f1)
@@ -152,7 +169,8 @@ jobs:
git config user.name "Hein" git config user.name "Hein"
git add PKGBUILD .SRCINFO git add PKGBUILD .SRCINFO
git commit -m "Update to v${PKGVER}" git commit -m "Update to v${PKGVER}"
GIT_SSH_COMMAND="ssh -vvv -i ~/.ssh/aur" git push origin HEAD:master GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
git push origin HEAD:master
pkg-deb: pkg-deb:
needs: release needs: release