From 671d165bd7c4465f609bc6bba700182b2852fabc Mon Sep 17 00:00:00 2001 From: Jonathan Miller <230051081+jmiller-moko@users.noreply.github.com> Date: Tue, 23 Dec 2025 23:31:35 -0600 Subject: [PATCH] Update release_pipeline.yml --- .github/workflows/release_pipeline.yml | 27 +++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release_pipeline.yml b/.github/workflows/release_pipeline.yml index 4feeec0..64f2f9f 100644 --- a/.github/workflows/release_pipeline.yml +++ b/.github/workflows/release_pipeline.yml @@ -500,11 +500,32 @@ jobs: echo "SFTP target: sftp://${HOSTPORT}${REMOTE_PATH}" >> "${GITHUB_STEP_SUMMARY}" sudo apt-get update -y - sudo apt-get install -y lftp openssh-client + sudo apt-get install -y lftp openssh-client putty-tools mkdir -p ~/.ssh - echo "${FTP_KEY}" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa + + # Key material can be OpenSSH private key or PuTTY .ppk (unencrypted). + # Hard control: key-only auth. No password or interactive prompts. + if printf '%s' "${FTP_KEY}" | head -n 1 | grep -q '^PuTTY-User-Key-File-'; then + echo "Detected PuTTY PPK key format" >> "${GITHUB_STEP_SUMMARY}" + + printf '%s' "${FTP_KEY}" > ~/.ssh/key.ppk + chmod 600 ~/.ssh/key.ppk + + # Convert to OpenSSH private key. Encrypted PPK will fail (no passphrase support by policy). + if ! puttygen ~/.ssh/key.ppk -O private-openssh -o ~/.ssh/id_rsa; then + echo "ERROR: PPK conversion failed. Provide an unencrypted PPK (no passphrase)." >> "${GITHUB_STEP_SUMMARY}" + exit 1 + fi + + chmod 600 ~/.ssh/id_rsa + rm -f ~/.ssh/key.ppk + else + echo "Detected OpenSSH private key format" >> "${GITHUB_STEP_SUMMARY}" + printf '%s' "${FTP_KEY}" > ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + fi + ssh-keyscan -H "${FTP_HOST}" >> ~/.ssh/known_hosts # Hard‑enforced key‑only authentication. Password auth explicitly disabled.