refactor(action, workflows): optimize known hosts handling and remove…

… noop script action.sh: • Improved SSH keyscan logic to filter comments from known hosts. • Removed redundant chmod as it’s handled implicitly. • Ensured unset for SSH_KNOWN_HOSTS_FILE for cleanup. post_action.sh: • Introduced logic to clean up the last entry in known_hosts. • Improved clarity and consistency with explicit unset for temporary variables. post_check.sh: • Added a check to validate known_hosts does not retain specific SSH fingerprints post-execution. • pull_request.yml: • Simplified steps by merging noop logic into the post-check script. • Removed noop.sh, ensuring streamlined workflow execution. These updates enhance security, maintain clean execution contexts, and reduce redundant scripting.
apter-tech · Jan 3, 2025 · b7b542a · b7b542a
1 parent 1c9dbd0
commit b7b542a
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 32 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -14,23 +14,21 @@ jobs:
     runs-on: ${{ matrix.os }}      
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup post check known hosts
-        uses: pyTooling/Actions/with-post-step@9ceefdbf5dceae8c441fc393ed82344c7ca8bbdb # v3.1.1
-        with:
-          main: |
-            sh noop.sh
-          post: |
-            sh post_check.sh
       - name: Setup SSH key
         uses: ./
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
           ssh-known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
           log-public-key: false
-      - name: Check known hosts
-        shell: bash
-        run: |
-          sh check.sh
+      - name: Check known hosts file
+        uses: pyTooling/Actions/with-post-step@9ceefdbf5dceae8c441fc393ed82344c7ca8bbdb # v3.1.1
+        env:
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
+        with:
+          main: |
+            sh check.sh
+          post: |
+            sh post_check.sh
       - name: Install docker (Missing on MacOS)
         if: runner.os == 'macos'
         shell: bash

diff --git a/action.sh b/action.sh
@@ -26,13 +26,13 @@ ssh-keyscan can help in the detection of tampered keyfiles or man in the middle
 the ssh_known_hosts file was created."
 
         if [ -z "${SSH_KEY_TYPE}" ]; then
-            if ! ssh-keyscan "${SSH_HOST}" >> "${SSH_KNOWN_HOSTS_FILE}"; then
+            if ! ssh-keyscan "${SSH_HOST} | grep -o '^[^#]*'" >> "${SSH_KNOWN_HOSTS_FILE}"; then
                 echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=SSH Keyscan Failed::\
 Failed to scan SSH host keys for ${SSH_HOST}"
                 exit 1
             fi
         else
-            if ! ssh-keyscan -t "${SSH_KEY_TYPE}" "${SSH_HOST}" >> "${SSH_KNOWN_HOSTS_FILE}"; then
+            if ! ssh-keyscan -t "${SSH_KEY_TYPE}" "${SSH_HOST}" | grep -o '^[^#]*' >> "${SSH_KNOWN_HOSTS_FILE}"; then
                 echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=SSH Keyscan Failed::\
 Failed to scan SSH host keys for ${SSH_HOST}"
                 exit 1
@@ -42,6 +42,4 @@ Failed to scan SSH host keys for ${SSH_HOST}"
     fi
 fi
 
-chmod 600 "${SSH_KNOWN_HOSTS_FILE}"
-
 unset SSH_KNOWN_HOSTS_FILE
diff --git a/noop.sh b/noop.sh
diff --git a/post_action.sh b/post_action.sh
@@ -1,10 +1,12 @@
 #!/usr/bin/env sh
 
-if [ -z "${SSH_KNOWN_HOSTS_FILE}" ]; then
-    echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Notice::\
-${SSH_KNOWN_HOSTS_FILE} environment variable must be set."
-#else
-    # rm -rf "${SSH_KNOWN_HOSTS_FILE}"
-    #echo "::notice file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Notice::\
-#${SSH_KNOWN_HOSTS_FILE} has been removed."
-fi
+TEMP_FILE="/tmp/718f4157-5493-43b2-837b-3ccb27f78e7b"
+
+head --lines=-1 "${SSH_KNOWN_HOSTS_FILE}" > "${TEMP_FILE}"
+cat "${TEMP_FILE}" > "${SSH_KNOWN_HOSTS_FILE}"
+rm -rf "${TEMP_FILE}"
+
+echo "::notice file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Notice::\
+${SSH_KNOWN_HOSTS_FILE} has been cleaned."
+
+unset TEMP_FILE
diff --git a/post_check.sh b/post_check.sh
@@ -1,8 +1,11 @@
 #!/usr/bin/env sh
 
-if [ -s "${HOME}/.ssh/known_hosts" ]; then
-    echo "ok"
-    #echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Assertion Error::\
-#~/.ssh/known_hosts file should not exist after the job."
-    #exit 1
-fi
+SSH_KNOWN_HOSTS_FILE="${HOME}/.ssh/known_hosts"
+
+if ! grep -q "${SSH_KNOWN_HOSTS}" "${SSH_KNOWN_HOSTS_FILE}" ; then
+    echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Assertion Error::\
+${SSH_KNOWN_HOSTS_FILE} file should not contain the ssh fingerprint after the job."
+    exit 1
+fi
+
+unset SSH_KNOWN_HOSTS_FILE