From 3bad354414edcef35406796b9b9e2cfb90b0740f Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Wed, 13 May 2026 18:55:49 +0800
Subject: [PATCH 1/2] fix(cd): include ed25519 deploy host keyscan

---
 .gitea/workflows/cd.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index fc21f57d..905e5646 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -469,7 +469,11 @@ jobs:
           mkdir -p ~/.ssh
           echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key"
           chmod 600 "${HOME}/.ssh/deploy_key"
-          ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
+          # 2026-05-13 Codex: keyscan must include ED25519 explicitly. Some
+          # OpenSSH builds otherwise record only RSA/ECDSA, then strict deploy
+          # SSH fails with "No ED25519 host key is known" after image push.
+          ssh-keyscan -T 5 -t ed25519,rsa,ecdsa "${K8S_SSH_HOST}" > "${HOME}/.ssh/known_hosts" 2>/dev/null
+          test -s "${HOME}/.ssh/known_hosts" || { echo "❌ K8S host keyscan failed: ${K8S_SSH_HOST}"; exit 1; }
           SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"
           ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" << SECRETS
           set -e
@@ -707,7 +711,10 @@ jobs:
           mkdir -p ~/.ssh
           echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key"
           chmod 600 "${HOME}/.ssh/deploy_key"
-          ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
+          # 2026-05-13 Codex: mirror Inject K8s Secrets host-key handling so the
+          # deploy job never reaches SSH with a known_hosts file missing ED25519.
+          ssh-keyscan -T 5 -t ed25519,rsa,ecdsa "${K8S_SSH_HOST}" > "${HOME}/.ssh/known_hosts" 2>/dev/null
+          test -s "${HOME}/.ssh/known_hosts" || { echo "❌ K8S host keyscan failed: ${K8S_SSH_HOST}"; exit 1; }
           SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"
 
           IMAGE_TAG="${{ github.sha }}"

From 9c9cf68063d64ce3a854a7738760a1a0e29fff81 Mon Sep 17 00:00:00 2001
From: AWOOOI CD <cd@awoooi.internal>
Date: Wed, 13 May 2026 19:00:59 +0800
Subject: [PATCH 2/2] chore(cd): deploy 3bad354 [skip ci]

---
 k8s/awoooi-prod/kustomization.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/k8s/awoooi-prod/kustomization.yaml b/k8s/awoooi-prod/kustomization.yaml
index 72e47048..8edb74ba 100644
--- a/k8s/awoooi-prod/kustomization.yaml
+++ b/k8s/awoooi-prod/kustomization.yaml
@@ -40,7 +40,7 @@ resources:
 images:
 - name: 192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER
   newName: 192.168.0.110:5000/awoooi/api
-  newTag: cecadb331badac7aa4fb07922b892875c28a891a
+  newTag: 3bad354414edcef35406796b9b9e2cfb90b0740f
 - name: 192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER
   newName: 192.168.0.110:5000/awoooi/web
-  newTag: cecadb331badac7aa4fb07922b892875c28a891a
+  newTag: 3bad354414edcef35406796b9b9e2cfb90b0740f