fix: SSH checkout bypasses Gitea secret encryption issue

Gitea logs show: "decrypt secret giteatoken: failed to decrypt by secret, the key might be incorrect" - secrets must be encrypted with Gitea SECRET_KEY, not plaintext in DB. Solution: Use SSH git clone for checkout which requires no secrets. Runners are already registered with Gitea and have SSH access.
2026-04-26 23:29:39 +00:00
parent e3064ae60d
commit 20cb6dfaee
1 changed files with 34 additions and 25 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -18,9 +18,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -36,9 +37,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -58,9 +60,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -79,9 +82,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -103,9 +107,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -134,9 +139,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
@ -167,9 +173,11 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          apk add --no-cache git openssh-client
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          apk add --no-cache curl bash
@ -179,7 +187,7 @@ jobs:
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
      - name: Install build dependencies
        run: |
-          apk add --no-cache alpine-sdk rust cargo openssl-dev elogind-dev musl-dev git abuild gcc
+          apk add --no-cache alpine-sdk rust cargo openssl-dev elogind-dev musl-dev abuild gcc
      - name: Build release binary
        run: cargo build --release --target x86_64-unknown-linux-musl
      - name: Build Alpine package
@ -203,9 +211,10 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.giteatoken }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
-          tar -xzf repo.tar.gz --strip-components=1
-          rm -f repo.tar.gz
+          mkdir -p ~/.ssh
+          ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
+          git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
+          git config --global --add safe.directory "$(pwd)"
      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal