Merge remote-tracking branch 'gitea/main' into codex/security-supply-chain-contracts-20260512

2026-05-13 19:02:15 +08:00
parent 0f1141b33e 9c9cf68063
commit 40e6555578
2 changed files with 11 additions and 4 deletions
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -469,7 +469,11 @@ jobs:
          mkdir -p ~/.ssh
          echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key"
          chmod 600 "${HOME}/.ssh/deploy_key"
-          ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
+          # 2026-05-13 Codex: keyscan must include ED25519 explicitly. Some
+          # OpenSSH builds otherwise record only RSA/ECDSA, then strict deploy
+          # SSH fails with "No ED25519 host key is known" after image push.
+          ssh-keyscan -T 5 -t ed25519,rsa,ecdsa "${K8S_SSH_HOST}" > "${HOME}/.ssh/known_hosts" 2>/dev/null
+          test -s "${HOME}/.ssh/known_hosts" || { echo "❌ K8S host keyscan failed: ${K8S_SSH_HOST}"; exit 1; }
          SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"
          ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" << SECRETS
          set -e
@@ -707,7 +711,10 @@ jobs:
          mkdir -p ~/.ssh
          echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key"
          chmod 600 "${HOME}/.ssh/deploy_key"
-          ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
+          # 2026-05-13 Codex: mirror Inject K8s Secrets host-key handling so the
+          # deploy job never reaches SSH with a known_hosts file missing ED25519.
+          ssh-keyscan -T 5 -t ed25519,rsa,ecdsa "${K8S_SSH_HOST}" > "${HOME}/.ssh/known_hosts" 2>/dev/null
+          test -s "${HOME}/.ssh/known_hosts" || { echo "❌ K8S host keyscan failed: ${K8S_SSH_HOST}"; exit 1; }
          SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"

          IMAGE_TAG="${{ github.sha }}"
--- a/k8s/awoooi-prod/kustomization.yaml
+++ b/k8s/awoooi-prod/kustomization.yaml
@@ -40,7 +40,7 @@ resources:
 images:
 - name: 192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER
  newName: 192.168.0.110:5000/awoooi/api
-  newTag: cecadb331badac7aa4fb07922b892875c28a891a
+  newTag: 3bad354414edcef35406796b9b9e2cfb90b0740f
 - name: 192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER
  newName: 192.168.0.110:5000/awoooi/web
-  newTag: cecadb331badac7aa4fb07922b892875c28a891a
+  newTag: 3bad354414edcef35406796b9b9e2cfb90b0740f