This commit is contained in:
Pouya
@@ -17,8 +17,11 @@ jobs:
|
||||
- name: Trigger tutorials redeploy over SSH
|
||||
env:
|
||||
DEPLOY_KEY: ${{ secrets.TUTORIALS_DEPLOY_KEY }}
|
||||
DEPLOY_HOST: REDACTED
|
||||
# Host address kept out of this public repo — set as an Actions secret.
|
||||
DEPLOY_HOST: ${{ secrets.TUTORIALS_DEPLOY_HOST }}
|
||||
DEPLOY_USER: deploy
|
||||
# Pinned host public key (a known_hosts line), also via secret.
|
||||
KNOWN_HOSTS: ${{ secrets.TUTORIALS_KNOWN_HOSTS }}
|
||||
run: |
|
||||
set -eu
|
||||
# Ensure an SSH client is available on the runner image.
|
||||
@@ -28,9 +31,14 @@ jobs:
|
||||
install -d -m 700 ~/.ssh
|
||||
printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/deploy_key
|
||||
chmod 600 ~/.ssh/deploy_key
|
||||
# Forced command runs regardless of the remote command; we send a
|
||||
# harmless placeholder. accept-new pins the host key on first use.
|
||||
ssh -o StrictHostKeyChecking=accept-new \
|
||||
# Pin the target's host key (supplied via secret) instead of trusting
|
||||
# it on first connect — closes the first-connection MITM window that
|
||||
# StrictHostKeyChecking=accept-new (trust-on-first-use) leaves open.
|
||||
printf '%s\n' "$KNOWN_HOSTS" > ~/.ssh/known_hosts
|
||||
chmod 600 ~/.ssh/known_hosts
|
||||
# Forced command runs regardless of the remote command; harmless placeholder.
|
||||
ssh -o StrictHostKeyChecking=yes \
|
||||
-o UserKnownHostsFile="$HOME/.ssh/known_hosts" \
|
||||
-o BatchMode=yes \
|
||||
-i ~/.ssh/deploy_key \
|
||||
"${DEPLOY_USER}@${DEPLOY_HOST}" deploy
|
||||
|
||||
Reference in New Issue
Block a user