From a35d149e0a9071a9892a8148022abc645d24ea6e Mon Sep 17 00:00:00 2001 From: seth Date: Sun, 19 Nov 2023 05:24:17 -0500 Subject: [PATCH] actions: don't disable host key verification --- .github/workflows/autobot.yaml | 4 ++-- .github/workflows/deploy.yaml | 26 +++++++++++++------------- .github/workflows/update-inputs.yaml | 2 +- .github/workflows/update-lock.yaml | 11 +++++++---- .github/workflows/update-nixpkgs.yaml | 2 +- 5 files changed, 24 insertions(+), 21 deletions(-) diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml index 9401d459..fa33623e 100644 --- a/.github/workflows/autobot.yaml +++ b/.github/workflows/autobot.yaml @@ -1,4 +1,4 @@ -name: auto-merge dependabot +name: Auto-merge Dependabot on: pull_request @@ -17,7 +17,7 @@ jobs: with: github-token: ${{ github.token }} - - name: enable auto-merge + - name: Enable auto-merge if: steps.metadata.outputs.update-type == 'version-update:semver-patch' run: gh pr merge --auto --rebase "$PR" env: diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index dd47015c..b9691a5a 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,4 +1,4 @@ -name: deploy systems +name: Deploy systems on: check_suite: @@ -22,28 +22,28 @@ jobs: steps: - uses: actions/checkout@v4 - - name: install nix + - name: Install Nix uses: nixbuild/nix-quick-install-action@v26 - - name: connect to tailscale + - name: Connect to Tailscale uses: tailscale/github-action@v2 with: - oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} - oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} - tags: tag:gha + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} + tags: tag:gha - - name: disable host key verification for ssh + - name: run: | set -eux [ ! -d ~/.ssh ] && mkdir -p ~/.ssh - cat >> ~/.ssh/config << EOF - Host * - StrictHostKeyChecking no - UserKnownHostsFile=/dev/null - EOF + pubkeys=( + "atlas ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7YiSYYx/+zmVOPSCERHzSsMeUQtA+Vt1W0sLUw4YhK" + ) - - name: deploy all systems + for key in "${pubkeys[@]}"; do echo "$key" >> ~/.ssh/known_hosts; done + + - name: Run deploy run: | nix develop --accept-flake-config \ --command bash \ diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml index 8d795dc6..037c767e 100644 --- a/.github/workflows/update-inputs.yaml +++ b/.github/workflows/update-inputs.yaml @@ -1,4 +1,4 @@ -name: update all flake inputs +name: Update all flake inputs on: schedule: diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml index 0813ea1a..f9cdfed8 100644 --- a/.github/workflows/update-lock.yaml +++ b/.github/workflows/update-lock.yaml @@ -1,4 +1,4 @@ -name: update flake lock +name: Update flake.lock on: workflow_call: @@ -20,11 +20,14 @@ on: jobs: update: runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 - - uses: nixbuild/nix-quick-install-action@v26 - - name: update lockfile + - name: Install Nix + uses: nixbuild/nix-quick-install-action@v26 + + - name: Update lockfile & make PR uses: DeterminateSystems/update-flake-lock@v20 id: update with: @@ -33,7 +36,7 @@ jobs: pr-title: ${{ inputs.commit-msg }} token: ${{ secrets.token }} - - name: enable auto-merge + - name: Enable auto-merge shell: bash run: gh pr merge --auto --rebase "$PR_ID" env: diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml index c8cccdf1..ad02bc77 100644 --- a/.github/workflows/update-nixpkgs.yaml +++ b/.github/workflows/update-nixpkgs.yaml @@ -1,4 +1,4 @@ -name: update nixpkgs flake inputs +name: Update nixpkgs flake inputs on: schedule: