[chore] access private modules via ssh instead of tokens (#94)

* go.mod fix Signed-off-by: borg-z <me@nikolay-z.top>
deckhouse · Feb 25, 2025 · 1e30b3e · 1e30b3e
1 parent 4c456ba
commit 1e30b3e
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 17 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,9 +9,8 @@ on:
       - "main"
 
 env:
-  GOPRIVATE: fox.flant.com
-  PRIVATE_REPO: fox.flant.com
-  PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
+  GOPRIVATE: "flant.internal"
+  PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
 
 permissions:
   contents: write
@@ -26,7 +25,7 @@ jobs:
       - name: Install dependency for linux-amd64 dist
         env:
           DEBIAN_FRONTEND: noninteractive
-        run: apt-get update && apt-get install -y apt-utils libbtrfs-dev file git gcc
+        run: apt-get update && apt-get install -y apt-utils libbtrfs-dev file git gcc dnsutils
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -42,9 +41,32 @@ jobs:
       - name: Setup Task
         uses: arduino/setup-task@v2
 
+      - name: Start ssh-agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: |
+            ${{secrets.SOURCE_REPO_SSH_KEY}}
+            
+      - name: Add ssh_known_hosts
+        run: |
+          echo "::add-mask::$PRIVATE_REPO"
+          IPS=$(nslookup "$PRIVATE_REPO" | awk '/^Address: / { print $2 }')
+          for IP in $IPS; do
+            echo "::add-mask::$IP"
+          done
+          mkdir -p /root/.ssh
+          touch /root/.ssh/known_hosts
+          HOST_KEYS=$(ssh-keyscan -H "$PRIVATE_REPO" 2>/dev/null)
+          echo "$HOST_KEYS" | while IFS= read -r KEY_LINE; do
+            CONSTANT_PART=$(echo "$KEY_LINE" | awk '{print $2, $3}')
+            if ! grep -q "$CONSTANT_PART" /root/.ssh/known_hosts; then
+              echo "$KEY_LINE" >> /root/.ssh/known_hosts
+            fi
+          done
+
       - name: Setup git
         run: |
-          git config --global url."https://gitlab-ci-token:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}/".insteadOf https://${PRIVATE_REPO}/
+          git config --global url."ssh://git@${PRIVATE_REPO}/".insteadOf "https://flant.internal/"
           git config --global --add safe.directory '*'
 
       - name: Build and package
@@ -66,7 +88,7 @@ jobs:
       - name: Install dependency for linux-amd64 dist
         env:
           DEBIAN_FRONTEND: noninteractive
-        run: apt-get update && apt-get install -y apt-utils libbtrfs-dev file git gcc
+        run: apt-get update && apt-get install -y apt-utils libbtrfs-dev file git gcc dnsutils
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -82,10 +104,34 @@ jobs:
       - name: Setup Task
         uses: arduino/setup-task@v2
 
+      - name: Start ssh-agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: |
+            ${{secrets.SOURCE_REPO_SSH_KEY}}
+
+      - name: Add ssh_known_hosts
+        run: |
+          echo "::add-mask::$PRIVATE_REPO"
+          IPS=$(nslookup "$PRIVATE_REPO" | awk '/^Address: / { print $2 }')
+          for IP in $IPS; do
+            echo "::add-mask::$IP"
+          done
+          mkdir -p /root/.ssh
+          touch /root/.ssh/known_hosts
+          HOST_KEYS=$(ssh-keyscan -H "$PRIVATE_REPO" 2>/dev/null)
+          echo "$HOST_KEYS" | while IFS= read -r KEY_LINE; do
+            CONSTANT_PART=$(echo "$KEY_LINE" | awk '{print $2, $3}')
+            if ! grep -q "$CONSTANT_PART" /root/.ssh/known_hosts; then
+              echo "$KEY_LINE" >> /root/.ssh/known_hosts
+            fi
+          done
+          
       - name: Setup git
         run: |
-          git config --global url."https://gitlab-ci-token:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}/".insteadOf https://${PRIVATE_REPO}/
+          git config --global url."ssh://git@${PRIVATE_REPO}/".insteadOf "https://flant.internal/"
           git config --global --add safe.directory '*'
 
       - name: Run tests
-        run: task test
+        run: |
+          task test
diff --git a/go.mod b/go.mod
@@ -583,9 +583,9 @@ replace (
 	github.com/distribution/reference => github.com/distribution/reference v0.5.0
 	github.com/docker/cli => github.com/docker/cli v25.0.6+incompatible
 	github.com/docker/docker => github.com/docker/docker v25.0.6+incompatible
-	github.com/hashicorp/vault => fox.flant.com/team/foxtrot/stronghold.git/images/stronghold v1.1.4
-	github.com/hashicorp/vault/api => fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4
-	github.com/hashicorp/vault/sdk => fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4
+	github.com/hashicorp/vault => flant.internal/team/foxtrot/stronghold.git/images/stronghold v1.1.4
+	github.com/hashicorp/vault/api => flant.internal/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4
+	github.com/hashicorp/vault/sdk => flant.internal/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4
 	github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 // upstream not maintained
 	go.cypherpunks.ru/gogost/v5 v5.13.0 => github.com/flant/gogost/v5 v5.13.0
 )
diff --git a/go.sum b/go.sum
@@ -46,12 +46,12 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold v1.1.4 h1:oa57mg3eM9Izb8n86oeH545EZ3kicEkHoOx0pLMgdRI=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold v1.1.4/go.mod h1:IEtXhdUAfKvKICfioKawHfP2mmLFppIHGsm/uGd5xK0=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4 h1:EUq3SmJUXGAEM79ZLyXHi+KUqteERAgq8Cq9DRuQMCU=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4 h1:Bpocg21RfpN5T7oWXb7d/kJRZp2Jt37ytVWqt0qhGWM=
-fox.flant.com/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4/go.mod h1:gG0lA7P++KefplzvcD3vrfCmgxVAM7Z/SqX5NeOL/98=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold v1.1.4 h1:0z+4dV/qAKUTh3VdQxExZESPBfHqxegJPQmrFZOKpy4=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold v1.1.4/go.mod h1:IEtXhdUAfKvKICfioKawHfP2mmLFppIHGsm/uGd5xK0=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4 h1:7hXbTNt14jBEeykfKrzxorpaf/sKPS051/bm52yxTEk=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold/api v1.1.4/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4 h1:EwRn0YVZJYEHOypzp2rxKtxjBISSLalSQXXOVMa49Es=
+flant.internal/team/foxtrot/stronghold.git/images/stronghold/sdk v1.1.4/go.mod h1:gG0lA7P++KefplzvcD3vrfCmgxVAM7Z/SqX5NeOL/98=
 github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774 h1:SCbEWT58NSt7d2mcFdvxC9uyrdcTfvBbPLThhkDmXzg=
 github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774/go.mod h1:6/0dYRLLXyJjbkIPeeGyoJ/eKOSI0eU6eTlCBYibgd0=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=