Skip to content

Restore ssh key in release.yml#793

Merged
hal-eisen-adfa merged 1 commit intostagefrom
restore-releaseyml-ssh-key-setup
Jan 7, 2026
Merged

Restore ssh key in release.yml#793
hal-eisen-adfa merged 1 commit intostagefrom
restore-releaseyml-ssh-key-setup

Conversation

@hal-eisen-adfa
Copy link
Collaborator

@hal-eisen-adfa hal-eisen-adfa commented Jan 7, 2026

No description provided.

@hal-eisen-adfa hal-eisen-adfa merged commit cfe128e into stage Jan 7, 2026
1 of 2 checks passed
@hal-eisen-adfa hal-eisen-adfa deleted the restore-releaseyml-ssh-key-setup branch January 7, 2026 00:53
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 7, 2026

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Release Notes - SSH Key Setup in release.yml

Changes

  • Added "Set up SSH key" step to the download_assets workflow job to enable secure SSH-based file transfers
    • Reads SSH configuration from environment variables (host, private key, username)
    • Creates and configures SSH directory with proper permissions (chmod 600)
    • Validates SSH key format to ensure it contains a valid PRIVATE KEY marker
    • Configures ~/.ssh/config with host-specific authentication settings
    • Disables SSH agent and removes conflicting default SSH keys
    • Populates known_hosts file via ssh-keyscan for host verification
    • Includes cleanup step to remove SSH credentials after job completion

Security Risks & Best Practice Violations ⚠️

  1. StrictHostKeyChecking Disabled - The SSH config includes StrictHostKeyChecking no, which disables host key verification and creates vulnerability to man-in-the-middle (MITM) attacks. Best practice is to use StrictHostKeyChecking accept-new or verify host keys beforehand.

  2. Platform-Specific sed Syntax - The sed command uses macOS syntax (sed -i '') with a fallback to Linux syntax, which is non-standard for GitHub Actions runners. This should use a single, cross-platform approach.

  3. SSH Credentials on Self-Hosted Runner - SSH private keys are stored on self-hosted runners, which have less isolation than GitHub-hosted runners. Ensure proper access controls on the runner.

  4. Incomplete Error Handling - If SSH key setup fails partway through, cleanup may not fully execute. The cleanup step properly uses if: always() but depends on the step completing to some degree.

  5. Hardcoded Security Disablement - Multiple security features are disabled globally (PasswordAuthentication no, GSSAPIAuthentication no, etc.), which is good practice, but combined with StrictHostKeyChecking no creates an overly permissive configuration.

Recommendations

  • Replace StrictHostKeyChecking no with StrictHostKeyChecking accept-new to balance usability with security
  • Use standard sed syntax without platform-specific flags
  • Consider using a dedicated SSH action or GitHub Secrets for key management
  • Add additional logging to the cleanup step for troubleshooting failed SSH operations

Walkthrough

This change introduces SSH key setup steps in two GitHub Actions workflow jobs within .github/workflows/release.yml. The setup reads SSH credentials from environment variables, configures the private key, sets strict permissions, validates the key format, and establishes SSH authentication for subsequent steps.

Changes

Cohort / File(s) Summary
GitHub Actions SSH Setup
.github/workflows/release.yml		 Added "Set up SSH key" step in two workflow jobs (download_assets and build_apk). Each step reads SSH host, key, and user from environment variables; writes private key to ~/.ssh/id_rsa; sets 700 permissions; validates PRIVATE KEY format; configures ~/.ssh/config for key-based authentication; disables SSH agents; removes conflicting keys; and populates known_hosts via ssh-keyscan.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • Daniel-ADFA

Poem

🐰 SSH keys tucked with care so spry,
Two workflows now authenticate through the CI sky,
Private keys guarded in ~/.ssh so tight,
Permissions enforced—secure by right!

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c7da5e and ae68a71.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hal-eisen-adfa

Comments