Improve SSH key setup and validation in deploy.yml #17

2025-10-18T18:38:31Z

rdenadai commented

2025-10-18 18:38:31 +00:00

(Migrated from github.com)

Updated SSH key setup to use printf for formatting and added validation for the SSH key.

copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed

2025-10-18 18:39:42 +00:00

copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment

Pull Request Overview

This PR improves the SSH key handling in the deployment workflow by switching to printf for writing the private key and adding a validation step for the SSH key.

Replace echo with printf when writing the SSH private key
Add a validation step for the SSH key using ssh-keygen
Modify ssh-keyscan to suppress errors and avoid failing the job

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

## Pull Request Overview This PR improves the SSH key handling in the deployment workflow by switching to printf for writing the private key and adding a validation step for the SSH key. - Replace echo with printf when writing the SSH private key - Add a validation step for the SSH key using ssh-keygen - Modify ssh-keyscan to suppress errors and avoid failing the job --- <sub>**Tip:** Customize your code reviews with copilot-instructions.md. <a href="/rdenadai/web.redecapivara.social/new/main/.github?filename=copilot-instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Create the file</a> or <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">learn how to get started</a>.</sub>

.github/workflows/deploy.yml

					
				@ -36,9 +36,12 @@ jobs:

				      - name: Set up SSH key

				        run: |

				          mkdir -p ~/.ssh

After creating ~/.ssh, set directory permissions to 700 to satisfy SSH's security expectations and avoid it ignoring keys due to permissive directory permissions.

          mkdir -p ~/.ssh
          chmod 700 ~/.ssh

After creating ~/.ssh, set directory permissions to 700 to satisfy SSH's security expectations and avoid it ignoring keys due to permissive directory permissions. ```suggestion mkdir -p ~/.ssh chmod 700 ~/.ssh ```

.github/workflows/deploy.yml

					
				@ -39,2 +39,3 @@

				          echo "${{ secrets.VM_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa

				          # Use printf instead of echo to preserve formatting

				          printf '%s\n' "${{ secrets.VM_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa

				          chmod 600 ~/.ssh/id_rsa

[nitpick] Using printf '%s\n' appends an extra newline which can alter the secret's exact content; prefer printf '%s' to write the key verbatim.

          printf '%s' "${{ secrets.VM_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa

[nitpick] Using printf '%s\\n' appends an extra newline which can alter the secret's exact content; prefer printf '%s' to write the key verbatim. ```suggestion printf '%s' "${{ secrets.VM_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa ```

.github/workflows/deploy.yml

					
				@ -42,1 +42,4 @@

				          # Verify key is valid

				          ssh-keygen -l -f ~/.ssh/id_rsa || { echo "Invalid SSH key"; exit 1; }

				          ssh-keyscan -p ${{ secrets.SSH_PORT }} -H "${{ secrets.VM_IP }}" >> ~/.ssh/known_hosts 2>/dev/null || true

ssh-keygen -l expects a public key; running it on a private key commonly returns 'invalid format' even when the key is valid. To actually validate the private key, use ssh-keygen -y (which reads a private key and outputs the public key) and check its exit status.

          ssh-keygen -y -f ~/.ssh/id_rsa > /dev/null || { echo "Invalid SSH key"; exit 1; }

ssh-keygen -l expects a public key; running it on a private key commonly returns 'invalid format' even when the key is valid. To actually validate the private key, use ssh-keygen -y (which reads a private key and outputs the public key) and check its exit status. ```suggestion ssh-keygen -y -f ~/.ssh/id_rsa > /dev/null || { echo "Invalid SSH key"; exit 1; } ```

.github/workflows/deploy.yml

					
				@ -42,2 +43,4 @@

				          ssh-keygen -l -f ~/.ssh/id_rsa || { echo "Invalid SSH key"; exit 1; }

				          ssh-keyscan -p ${{ secrets.SSH_PORT }} -H "${{ secrets.VM_IP }}" >> ~/.ssh/known_hosts 2>/dev/null || true

				      - name: Test SSH connection

[nitpick] Redirecting stderr to /dev/null and forcing success with || true hides host key retrieval failures, making issues hard to debug and potentially leaving known_hosts empty. Consider failing fast on ssh-keyscan errors or at least logging them so that a missing host key doesn't go unnoticed.

          if ! ssh-keyscan -p ${{ secrets.SSH_PORT }} -H "${{ secrets.VM_IP }}" >> ~/.ssh/known_hosts 2>&1; then
            echo "Error: ssh-keyscan failed for host ${VM_IP}:${{ secrets.SSH_PORT }}"; exit 1
          fi

[nitpick] Redirecting stderr to /dev/null and forcing success with || true hides host key retrieval failures, making issues hard to debug and potentially leaving known_hosts empty. Consider failing fast on ssh-keyscan errors or at least logging them so that a missing host key doesn't go unnoticed. ```suggestion if ! ssh-keyscan -p ${{ secrets.SSH_PORT }} -H "${{ secrets.VM_IP }}" >> ~/.ssh/known_hosts 2>&1; then echo "Error: ssh-keyscan failed for host ${VM_IP}:${{ secrets.SSH_PORT }}"; exit 1 fi ```

Sign in to join this conversation.

No reviewers