From 0f6cbb81e96b9ec6c9de6d9a9982ee2194506e34 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <230051081+jmiller-moko@users.noreply.github.com>
Date: Tue, 23 Dec 2025 23:24:56 -0600
Subject: [PATCH] Update release_pipeline.yml

---
 .github/workflows/release_pipeline.yml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release_pipeline.yml b/.github/workflows/release_pipeline.yml
index c8fadc1..4feeec0 100644
--- a/.github/workflows/release_pipeline.yml
+++ b/.github/workflows/release_pipeline.yml
@@ -27,7 +27,7 @@
 # BRIEF: Enterprise release pipeline enforcing dev to rc to version to main. Creates prerelease when rc is created. Creates full release when version is created and promotes to main while retaining the version branch.
 # NOTE: Controls: strict branch gating, mandatory source branch deletion after promotion, key-only SFTP with verbose logs, ZIP-only distribution with overwrite, no checksum generation.
 #
-name: Release Pipeline (dev to rc to version to main)
+name: Release Pipeline (dev > rc > version > main)
 
 on:
   workflow_dispatch:
@@ -507,7 +507,22 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
           ssh-keyscan -H "${FTP_HOST}" >> ~/.ssh/known_hosts
 
-          lftp -d -e "set sftp:auto-confirm yes; set cmd:trace yes; set net:timeout 30; set net:max-retries 3; set net:reconnect-interval-base 5; open -u '${FTP_USER}', sftp://${HOSTPORT}; pwd; ls; mkdir -p '${REMOTE_PATH}'; cd '${REMOTE_PATH}'; pwd; put -E 'dist/${ZIP}'; ls; bye"
+          # Hard‑enforced key‑only authentication. Password auth explicitly disabled.
+          lftp -d -e "\
+            set sftp:auto-confirm yes; \
+            set cmd:trace yes; \
+            set net:timeout 30; \
+            set net:max-retries 3; \
+            set net:reconnect-interval-base 5; \
+            set sftp:connect-program 'ssh -a -x -i ~/.ssh/id_rsa -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no -o ChallengeResponseAuthentication=no -o PubkeyAuthentication=yes'; \
+            open -u '${FTP_USER}', sftp://${HOSTPORT}; \
+            pwd; ls; \
+            mkdir -p '${REMOTE_PATH}'; \
+            cd '${REMOTE_PATH}'; \
+            pwd; \
+            put -E 'dist/${ZIP}'; \
+            ls; \
+            bye"
 
           ZIP_BYTES="$(stat -c%s "dist/${ZIP}")"
           {