Backup: SSH Security Improvements

thearchivalone · Nov 22, 2024 · adcae9d · adcae9d
1 parent a079e41
commit adcae9d
Showing 1 changed file with 70 additions and 22 deletions.
diff --git a/.github/workflows/github-action-mirror-sync.yml b/.github/workflows/github-action-mirror-sync.yml
@@ -16,14 +16,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa bitbucket.org > ~/.ssh/known_hosts
       - name: Sync up to Bitbucket
         id: sync
-        uses: quantran-novobi/sync-up-to-bitbucket-action@v1
+        uses: yesolutions/mirror-action@master
         with:
-          bitbucket_repository_name: brs-psp-research-initiative
-          bitbucket_workspace_name: the_archival_one
-          bitbucket_access_token: ${{ secrets.BITBUCKET_ACCESS_TOKEN }}
+          REMOTE: '[email protected]:the_archival_one/brs-psp-research-initiative.git'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
 
   codeberg:
     runs-on: ubuntu-24.04
@@ -33,13 +40,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa codeberg.org > ~/.ssh/known_hosts
       - name: Sync up to Codeberg
         id: sync
         uses: yesolutions/mirror-action@master
         with:
-          REMOTE: 'https://codeberg.org/thearchivalone/BRS-PSP-Research-Initiative.git'
-          GIT_USERNAME: thearchivalone
-          GIT_PASSWORD: ${{ secrets.CODEBERG_PASSWORD }}
+          REMOTE: 'git@codeberg.org:thearchivalone/BRS-PSP-Research-Initiative.git'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
 
   beanstalk:
     runs-on: ubuntu-24.04
@@ -49,45 +64,70 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa beanstalkapp.com > ~/.ssh/known_hosts
       - name: Sync up to Beanstalk
         id: sync
         uses: yesolutions/mirror-action@master
         with:
-          REMOTE: 'https://the-archival-one.git.beanstalkapp.com/brs-psp-research-initiative.git'
-          GIT_USERNAME: thearchivalone
-          GIT_PASSWORD: ${{ secrets.BEANSTALK_PASSWORD }}
+          REMOTE: 'git@the-archival-one.git.beanstalkapp.com:/the-archival-one/brs-psp-research-initiative.git'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
 
-  GitGud:
+  gitgud:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
         id: checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa gitgud.io > ~/.ssh/known_hosts
       - name: Sync up to GitGud
         id: sync
         uses: yesolutions/mirror-action@master
         with:
-          REMOTE: 'https://gitgud.io/thearchivalone/brs-psp-research-initiative.git'
-          GIT_USERNAME: thearchivalone
-          GIT_PASSWORD: ${{ secrets.GITGUD_TOKEN }}
+          REMOTE: 'git@ssh.gitgud.io:thearchivalone/brs-psp-research-initiative.git'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
 
-  GitLab:
+  gitlab:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
         id: checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa gitlab.com > ~/.ssh/known_hosts
       - name: Sync up to GitLab
         id: sync
         uses: yesolutions/mirror-action@master
         with:
-          REMOTE: 'https://gitlab.com/thearchivalone1/BRS-PSP-Research-Initiative.git'
-          GIT_USERNAME: thearchivalone
-          GIT_PASSWORD: ${{ secrets.GITLAB_TOKEN }}
+          REMOTE: '[email protected]:thearchivalone1/BRS-PSP-Research-Initiative.git'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
+
   sourceforge:
     runs-on: ubuntu-24.04
     steps:
@@ -96,13 +136,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup secure connection
+        id: secure
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_KEY_PRIVATE }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa sourceforge.net > ~/.ssh/known_hosts
       - name: Sync up to Sourceforge
         id: sync
         uses: yesolutions/mirror-action@master
         with:
-          REMOTE: 'https://[email protected]/p/brs-psp-research-initiative-1/code'
-          GIT_USERNAME: thearchivalone
-          GIT_PASSWORD: ${{ secrets.SF_PASSWORD }}
+          REMOTE: 'ssh://[email protected]/p/brs-psp-research-initiative-1/code'
+          GIT_SSH_PRIVATE_KEY: ${{ secrets.SSH_KEY_PRIVATE }}
+          GIT_SSH_KNOWN_HOSTS: ~/.ssh/known_hosts
 
   archive:
     runs-on: ubuntu-24.04