2022-02-09 13:24:57 -08:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
function SetupSshAgent() {
|
|
|
|
# Check to see if a SSH_KEY_SECRET was passed
|
2024-02-20 20:05:39 +01:00
|
|
|
if [ -n "${SSH_KEY:-}" ]; then
|
2022-02-09 13:24:57 -08:00
|
|
|
info "--------------------------------------------"
|
|
|
|
info "SSH key found, setting up agent..."
|
|
|
|
export SSH_AUTH_SOCK=/tmp/ssh_agent.sock
|
|
|
|
ssh-agent -a "${SSH_AUTH_SOCK}" >/dev/null
|
|
|
|
ssh-add - <<<"${SSH_KEY}" 2>/dev/null
|
|
|
|
fi
|
|
|
|
}
|
2024-01-30 09:05:47 +01:00
|
|
|
|
2024-02-09 19:45:44 +01:00
|
|
|
function GetGitHubSshRsaKeyFingerprint() {
|
|
|
|
local GET_SSH_RSA_KEY_FINGERPRINT_CMD
|
|
|
|
if ! GET_SSH_RSA_KEY_FINGERPRINT_CMD=$(
|
|
|
|
curl -f -s --show-error -X GET \
|
|
|
|
--url "${GITHUB_META_URL}" \
|
|
|
|
-H 'Accept: application/vnd.github.v3+json' \
|
|
|
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
|
|
|
-H "X-GitHub-Api-Version: 2022-11-28" 2>&1
|
|
|
|
); then
|
|
|
|
fatal "Failed to get GitHub RSA key fingerprint from ${GITHUB_META_URL}: ${GET_SSH_RSA_KEY_FINGERPRINT_CMD}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
local SSH_RSA_KEY_FINGERPRINT
|
|
|
|
SSH_RSA_KEY_FINGERPRINT="SHA256:$(jq -r '.ssh_key_fingerprints.SHA256_RSA' <<<"${GET_SSH_RSA_KEY_FINGERPRINT_CMD}")"
|
|
|
|
echo "${SSH_RSA_KEY_FINGERPRINT}"
|
|
|
|
}
|
|
|
|
export -f GetGitHubSshRsaKeyFingerprint
|
|
|
|
|
2022-02-09 13:24:57 -08:00
|
|
|
function SetupGithubComSshKeys() {
|
2024-02-20 20:05:39 +01:00
|
|
|
if [[ -n "${SSH_KEY:-}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then
|
2024-02-09 19:45:44 +01:00
|
|
|
info "Adding ${GITHUB_DOMAIN} SSH keys"
|
2022-02-09 13:24:57 -08:00
|
|
|
# Fetched out of band from
|
|
|
|
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
|
2024-02-09 19:45:44 +01:00
|
|
|
GITHUB_RSA_FINGERPRINT="$(GetGitHubSshRsaKeyFingerprint)"
|
|
|
|
debug "${GITHUB_DOMAIN} key RSA key fingerprint: ${GITHUB_RSA_FINGERPRINT}"
|
|
|
|
ssh-keyscan -t rsa "${GITHUB_DOMAIN}" >/tmp/github.pub 2>/dev/null
|
2022-02-09 13:24:57 -08:00
|
|
|
if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then
|
2024-02-09 19:45:44 +01:00
|
|
|
warn "Skipping ${GITHUB_DOMAIN} key verification and adding without checking fingerprint"
|
2022-02-09 13:24:57 -08:00
|
|
|
mkdir -p ~/.ssh
|
|
|
|
cat /tmp/github.pub >>~/.ssh/known_hosts
|
2024-02-09 19:45:44 +01:00
|
|
|
elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "3072 ${GITHUB_RSA_FINGERPRINT} ${GITHUB_DOMAIN} (RSA)" ]]; then
|
|
|
|
info "Successfully verified ${GITHUB_DOMAIN} key"
|
2022-02-09 13:24:57 -08:00
|
|
|
mkdir -p ~/.ssh
|
|
|
|
cat /tmp/github.pub >>~/.ssh/known_hosts
|
|
|
|
else
|
2024-02-09 19:45:44 +01:00
|
|
|
error "Could not verify ${GITHUB_DOMAIN} key. SSH requests to ${GITHUB_DOMAIN} will likely fail."
|
2022-02-09 13:24:57 -08:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|