git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

fix: SSH checkout bypasses Gitea secret encryption issue

Browse Source 
Gitea logs show: "decrypt secret giteatoken: failed to decrypt by secret,
the key might be incorrect" - secrets must be encrypted with Gitea
SECRET_KEY, not plaintext in DB.

Solution: Use SSH git clone for checkout which requires no secrets.
Runners are already registered with Gitea and have SSH access.
This commit is contained in:
Echo
2026-04-26 23:29:39 +00:00
parent e3064ae60d
commit 20cb6dfaee
1 changed files with 34 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.gitea/workflows/ci.yml
View File

@ -18,9 +18,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -36,9 +37,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -58,9 +60,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -79,9 +82,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -103,9 +107,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -134,9 +139,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -167,9 +173,11 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz apk add --no-cache git openssh-client
tar -xzf repo.tar.gz --strip-components=1 mkdir -p ~/.ssh
rm -f repo.tar.gz ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
apk add --no-cache curl bash apk add --no-cache curl bash
@ -179,7 +187,7 @@ jobs:
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install build dependencies - name: Install build dependencies
run: | run: |
apk add --no-cache alpine-sdk rust cargo openssl-dev elogind-dev musl-dev git abuild gcc apk add --no-cache alpine-sdk rust cargo openssl-dev elogind-dev musl-dev abuild gcc
- name: Build release binary - name: Build release binary
run: cargo build --release --target x86_64-unknown-linux-musl run: cargo build --release --target x86_64-unknown-linux-musl
- name: Build Alpine package - name: Build Alpine package
@ -203,9 +211,10 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz mkdir -p ~/.ssh
tar -xzf repo.tar.gz --strip-components=1 ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
rm -f repo.tar.gz git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust - name: Install Rust
run: | run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal