From cacdbebbf73acceac41bd422478db69c0005f621 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Mon, 27 Apr 2026 09:23:54 +0300
Subject: [PATCH] refactor(ci): use RPM_REPO_HOST env var, add SSH connectivity
 test

- Set RPM_REPO_HOST=oolon.kosherinata.internal as a plain env var
  instead of treating the hostname as a secret via RSYNC_TARGET
- Add explicit SSH connectivity test step using StrictHostKeyChecking=accept-new
- Remove ssh-keyscan in favour of accept-new which provides meaningful errors
- Remove RSYNC_TARGET secret dependency

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-release.yml | 15 ++++++++++++---
 readme.md                          |  1 -
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml
index ebbf73e..c5c9602 100644
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@@ -159,10 +159,15 @@ jobs:
         run: |
           install --directory --mode 700 ~/.ssh
           echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
-          ssh-keyscan -H oolon.kosherinata.internal >> ~/.ssh/known_hosts
         env:
           RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }}
 
+      - name: Test SSH connectivity
+        run: |
+          ssh -o StrictHostKeyChecking=accept-new "gitea_ci@${RPM_REPO_HOST}" exit
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal
+
       - name: Sync RPMs to repo
         run: |
           rsync \
@@ -170,9 +175,13 @@ jobs:
             --verbose \
             --chmod D755,F644 \
             rpms/*.rpm \
-            "${{ secrets.RSYNC_TARGET }}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
+            "gitea_ci@${RPM_REPO_HOST}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal
 
       - name: Update repo metadata
         run: |
-          ssh "${{ secrets.RSYNC_TARGET }}" \
+          ssh "gitea_ci@${RPM_REPO_HOST}" \
             "cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update ."
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal
diff --git a/readme.md b/readme.md
index 6d6ee28..3715252 100644
--- a/readme.md
+++ b/readme.md
@@ -117,5 +117,4 @@ The build-release workflow requires the following secrets:
 | `DISPATCH_TOKEN` | Gitea API token for triggering builds         |
 | `RPM_SIGNING_KEY`| ASCII-armored GPG signing subkey              |
 | `RPM_SIGNING_KEY_ID` | GPG key UID (`rpm@lair.cafe`)            |
-| `RSYNC_TARGET`   | SSH target for rsync (e.g. `gitea_ci@oolon`)  |
 | `RSYNC_SSH_KEY`  | SSH private key for the `gitea_ci` user       |