Refactor SSH key setup in deploy.yml #15

2025-10-18T18:00:02Z

rdenadai commented

2025-10-18 18:00:02 +00:00

(Migrated from github.com)

Removed unnecessary echo statements and added SSH agent setup.

copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed

2025-10-18 18:00:17 +00:00

copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment

Pull Request Overview

This PR refactors the SSH key setup in the GitHub Actions deploy workflow by removing debug echo statements and implementing proper SSH agent configuration to handle SSH keys with passphrases.

Removed unnecessary echo statements that were used for debugging
Added SSH agent setup with passphrase support for secure key management
Improved the SSH key configuration process for deployment

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

## Pull Request Overview This PR refactors the SSH key setup in the GitHub Actions deploy workflow by removing debug echo statements and implementing proper SSH agent configuration to handle SSH keys with passphrases. - Removed unnecessary echo statements that were used for debugging - Added SSH agent setup with passphrase support for secure key management - Improved the SSH key configuration process for deployment --- <sub>**Tip:** Customize your code reviews with copilot-instructions.md. <a href="/rdenadai/web.redecapivara.social/new/main/.github?filename=copilot-instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Create the file</a> or <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">learn how to get started</a>.</sub>

.github/workflows/deploy.yml

					
				@ -43,1 +43,4 @@

				          eval $(ssh-agent -s)

				          echo "${{ secrets.SSH_KEY_PASSPHRASE }}" | ssh-add ~/.ssh/id_rsa

				          ssh-keyscan -p ${{ secrets.SSH_PORT }} -H "${{ secrets.VM_IP }}" >> ~/.ssh/known_hosts

Passing the passphrase through echo and pipe could expose it in process lists or logs. Consider using ssh-add with the -q flag and SSH_ASKPASS environment variable, or use expect/sshpass for more secure passphrase handling.

          # Start SSH agent and add key with passphrase securely using SSH_ASKPASS
          eval $(ssh-agent -s)
          echo '#!/bin/sh' > /tmp/askpass.sh
          echo 'echo "${{ secrets.SSH_KEY_PASSPHRASE }}"' >> /tmp/askpass.sh
          chmod +x /tmp/askpass.sh
          SSH_ASKPASS=/tmp/askpass.sh DISPLAY=:0 ssh-add -q ~/.ssh/id_rsa
          rm /tmp/askpass.sh

Passing the passphrase through echo and pipe could expose it in process lists or logs. Consider using ssh-add with the -q flag and SSH_ASKPASS environment variable, or use expect/sshpass for more secure passphrase handling. ```suggestion # Start SSH agent and add key with passphrase securely using SSH_ASKPASS eval $(ssh-agent -s) echo '#!/bin/sh' > /tmp/askpass.sh echo 'echo "${{ secrets.SSH_KEY_PASSPHRASE }}"' >> /tmp/askpass.sh chmod +x /tmp/askpass.sh SSH_ASKPASS=/tmp/askpass.sh DISPLAY=:0 ssh-add -q ~/.ssh/id_rsa rm /tmp/askpass.sh ```

Sign in to join this conversation.

No reviewers