refactor(ci): use RPM_REPO_HOST env var, add SSH connectivity test

- Set RPM_REPO_HOST=oolon.kosherinata.internal as a plain env var instead of treating the hostname as a secret via RSYNC_TARGET - Add explicit SSH connectivity test step using StrictHostKeyChecking=accept-new - Remove ssh-keyscan in favour of accept-new which provides meaningful errors - Remove RSYNC_TARGET secret dependency Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-27 09:23:54 +03:00
parent ba5eec78f1
commit cacdbebbf7
2 changed files with 12 additions and 4 deletions
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@@ -159,10 +159,15 @@ jobs:
        run: |
          install --directory --mode 700 ~/.ssh
          echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
-          ssh-keyscan -H oolon.kosherinata.internal >> ~/.ssh/known_hosts
        env:
          RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }}

+      - name: Test SSH connectivity
+        run: |
+          ssh -o StrictHostKeyChecking=accept-new "gitea_ci@${RPM_REPO_HOST}" exit
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal
+
      - name: Sync RPMs to repo
        run: |
          rsync \
@@ -170,9 +175,13 @@ jobs:
            --verbose \
            --chmod D755,F644 \
            rpms/*.rpm \
-            "${{ secrets.RSYNC_TARGET }}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
+            "gitea_ci@${RPM_REPO_HOST}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal

      - name: Update repo metadata
        run: |
-          ssh "${{ secrets.RSYNC_TARGET }}" \
+          ssh "gitea_ci@${RPM_REPO_HOST}" \
            "cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update ."
+        env:
+          RPM_REPO_HOST: oolon.kosherinata.internal