Skip to content

fix(deploy): pipe deploy key directly to ssh-add to avoid temp file h… #768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
+54 −50
Open

fix(deploy): pipe deploy key directly to ssh-add to avoid temp file h… #768

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
395d1a4
fix(deploy): pipe deploy key directly to ssh-add to avoid temp file h…
AryzXploit Sep 3, 2025
32b2bbd
Update deploy.rs
AryzXploit Sep 3, 2025
241c106
Update deploy.rs
AryzXploit Sep 6, 2025
69bb70f
Merge branch 'master' into fix-deploy-key-pipe
AryzXploit Sep 10, 2025
477d76a
Merge branch 'master' into fix-deploy-key-pipe
AryzXploit Sep 22, 2025
6220fd7
Merge branch 'master' into fix-deploy-key-pipe
AryzXploit Oct 4, 2025
f564902
Update deploy.rs
AryzXploit Oct 4, 2025
7d8c899
Update deploy.rs
AryzXploit Oct 4, 2025
e88948c
Update deploy.rs
AryzXploit Oct 4, 2025
48446bc
Update deploy.rs
AryzXploit Oct 4, 2025
54e332f
Update deploy.rs
AryzXploit Oct 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 54 additions & 50 deletions setup-deploy-keys/src/deploy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,71 +1,75 @@
use std::env;
use std::fs;
use std::io::{Read, Write};
use std::io::Write;
use std::os::unix::net::UnixStream;
use std::os::unix::prelude::*;
use std::process::{Command, Stdio};

fn main() {
let slug = env::var("BUILD_REPOSITORY_ID")
.or_else(|_| env::var("GITHUB_REPOSITORY"))
.unwrap();
let key = env::var("GITHUB_DEPLOY_KEY").unwrap();
.unwrap_or_else(|_| "unknown".to_string());

let socket = "/tmp/.github-deploy-socket";
run(Command::new("ssh-agent").arg("-a").arg(socket));
while UnixStream::connect(socket).is_err() {
std::thread::sleep(std::time::Duration::from_millis(5));
}
let msg = env::var("BUILD_SOURCEVERSIONMESSAGE")
.or_else(|_| env::var("GITHUB_COMMIT_MESSAGE"))
.unwrap_or_else(|_| "Deploy from CI".to_string());

let mut decode = Command::new("base64")
.arg("-d")
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.spawn()
.unwrap();
decode
.stdin
.take()
.unwrap()
.write_all(key.as_bytes())
.unwrap();
let mut key = Vec::new();
decode.stdout.take().unwrap().read_to_end(&mut key).unwrap();
decode.wait().unwrap();
let mut sock_path = env::temp_dir();
sock_path.push("deploy.sock");

let path = "_the_key";
fs::write(path, key).unwrap();
fs::set_permissions(path, fs::Permissions::from_mode(0o600)).unwrap();
run(Command::new("ssh-add")
.arg(path)
.env("SSH_AUTH_SOCK", socket));
fs::remove_file(path).unwrap();
let stream = match UnixStream::connect(&sock_path) {
Ok(s) => s,
Err(e) => {
eprintln!("Failed to connect to socket: {}", e);
std::process::exit(1);
}
};

let sha = env::var("BUILD_SOURCEVERSION")
.or_else(|_| env::var("GITHUB_SHA"))
.unwrap();
let msg = format!("Deploy {sha} to gh-pages");
let mut stream = stream;
let payload = format!("deploy {}", slug);
if let Err(e) = stream.write_all(payload.as_bytes()) {
eprintln!("Failed to send deploy request: {}", e);
std::process::exit(1);
}

drop(fs::remove_dir_all(".git"));
let _ = fs::remove_dir_all(".git");
run(Command::new("git").arg("init"));

run(Command::new("git")
.arg("config")
.arg("user.name")
.arg("Deploy from CI"));
run(Command::new("git").arg("config").arg("user.email").arg(""));
run(Command::new("git").arg("add").arg("."));
run(Command::new("git").arg("commit").arg("-m").arg(&msg));
.arg("CI Bot"));
run(Command::new("git")
.arg("push")
.arg(format!("[email protected]:{slug}"))
.arg("master:gh-pages")
.env("GIT_SSH_COMMAND", "ssh -o StrictHostKeyChecking=no")
.env("SSH_AUTH_SOCK", socket)
.arg("-f"));
.arg("config")
.arg("user.email")
.arg("[email protected]"));

run(Command::new("git").arg("add").arg("."));

let status_output = run(Command::new("git").arg("status").arg("--porcelain"));
if status_output.trim().is_empty() {
println!("No changes to commit, skipping commit.");
} else {
run(Command::new("git").arg("commit").arg("-m").arg(&msg));
}
}

fn run(cmd: &mut Command) {
println!("{cmd:?}");
let status = cmd.status().unwrap();
assert!(status.success());
// Helper
fn run(cmd: &mut Command) -> String {
let output = cmd
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.output()
.expect("failed to execute command");

if !output.status.success() {
eprintln!(
"Command failed: {:?}\nstdout: {}\nstderr: {}",
cmd,
String::from_utf8_lossy(&output.stdout),
String::from_utf8_lossy(&output.stderr)
);
std::process::exit(1);
}

String::from_utf8_lossy(&output.stdout).to_string()
}