113 lines
4.0 KiB
YAML
113 lines
4.0 KiB
YAML
name: 🔐 SSH Connectivity Check
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
remote_path:
|
|
description: 'Remote directory path to inspect (optional)'
|
|
required: false
|
|
default: ''
|
|
type: string
|
|
ssh_port:
|
|
description: 'SSH port override (optional, default from secrets or 22)'
|
|
required: false
|
|
default: ''
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-ssh-and-list-files:
|
|
name: Check SSH and List Remote Files
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SSH_HOST: ${{ secrets.SSH_HOST || secrets.ZY_SERVER_HOST }}
|
|
SSH_USER: ${{ secrets.SSH_USER || secrets.ZY_SERVER_USER }}
|
|
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY || secrets.ZY_SERVER_KEY }}
|
|
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
|
|
SECRET_SSH_PORT: ${{ secrets.SSH_PORT }}
|
|
SECRET_REMOTE_PATH: ${{ secrets.REMOTE_PATH || secrets.ZY_SERVER_PATH }}
|
|
INPUT_SSH_PORT: ${{ github.event.inputs.ssh_port }}
|
|
INPUT_REMOTE_PATH: ${{ github.event.inputs.remote_path }}
|
|
steps:
|
|
- name: Validate required secrets
|
|
run: |
|
|
set -euo pipefail
|
|
[ -n "${SSH_HOST}" ] || { echo "❌ Missing secret: SSH_HOST (or fallback ZY_SERVER_HOST)"; exit 1; }
|
|
[ -n "${SSH_USER}" ] || { echo "❌ Missing secret: SSH_USER (or fallback ZY_SERVER_USER)"; exit 1; }
|
|
[ -n "${SSH_PRIVATE_KEY}" ] || { echo "❌ Missing secret: SSH_PRIVATE_KEY (or fallback ZY_SERVER_KEY)"; exit 1; }
|
|
|
|
- name: Setup SSH client configuration
|
|
run: |
|
|
set -euo pipefail
|
|
SSH_PORT_EFFECTIVE="${INPUT_SSH_PORT:-${SECRET_SSH_PORT:-22}}"
|
|
|
|
mkdir -p ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
|
|
echo "::add-mask::${SSH_PRIVATE_KEY}"
|
|
printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
|
|
chmod 600 ~/.ssh/id_rsa
|
|
|
|
if [ -n "${SSH_KNOWN_HOSTS}" ]; then
|
|
printf '%s\n' "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
|
|
else
|
|
echo "⚠️ SSH_KNOWN_HOSTS not set; using ssh-keyscan fallback for this run"
|
|
ssh-keyscan -p "${SSH_PORT_EFFECTIVE}" -H "${SSH_HOST}" > /tmp/ssh_known_hosts_scanned 2> /tmp/ssh_keyscan_stderr || true
|
|
[ -s /tmp/ssh_known_hosts_scanned ] || {
|
|
echo "❌ ssh-keyscan failed to retrieve host key"
|
|
cat /tmp/ssh_keyscan_stderr || true
|
|
exit 1
|
|
}
|
|
cat /tmp/ssh_known_hosts_scanned >> ~/.ssh/known_hosts
|
|
echo "Scanned host key fingerprints (verify out-of-band for production):"
|
|
ssh-keygen -lf /tmp/ssh_known_hosts_scanned || true
|
|
rm -f /tmp/ssh_known_hosts_scanned /tmp/ssh_keyscan_stderr
|
|
fi
|
|
chmod 600 ~/.ssh/known_hosts
|
|
|
|
{
|
|
echo "SSH_PORT_EFFECTIVE=${SSH_PORT_EFFECTIVE}"
|
|
} >> "$GITHUB_ENV"
|
|
|
|
- name: SSH connectivity test
|
|
run: |
|
|
set -euo pipefail
|
|
ssh -i ~/.ssh/id_rsa \
|
|
-p "${SSH_PORT_EFFECTIVE}" \
|
|
-o BatchMode=yes \
|
|
-o ConnectTimeout=10 \
|
|
-o StrictHostKeyChecking=yes \
|
|
"${SSH_USER}@${SSH_HOST}" \
|
|
"echo CONNECT_OK"
|
|
|
|
- name: List remote files
|
|
run: |
|
|
set -euo pipefail
|
|
REMOTE_PATH_EFFECTIVE="${INPUT_REMOTE_PATH:-${SECRET_REMOTE_PATH:-~}}"
|
|
|
|
ssh -i ~/.ssh/id_rsa \
|
|
-p "${SSH_PORT_EFFECTIVE}" \
|
|
-o BatchMode=yes \
|
|
-o ConnectTimeout=10 \
|
|
-o StrictHostKeyChecking=yes \
|
|
"${SSH_USER}@${SSH_HOST}" \
|
|
'bash -s' -- "${REMOTE_PATH_EFFECTIVE}" <<'REMOTE'
|
|
set -euo pipefail
|
|
remote_path="${1:-~}"
|
|
|
|
echo "REMOTE_PATH=${remote_path}"
|
|
echo "===== pwd ====="
|
|
pwd
|
|
echo "===== ls -lah ====="
|
|
ls -lah "${remote_path}"
|
|
echo "===== find (maxdepth 2, first 200 files) ====="
|
|
find "${remote_path}" -maxdepth 2 -type f | head -n 200
|
|
REMOTE
|
|
|
|
- name: Cleanup SSH key material
|
|
if: always()
|
|
run: |
|
|
rm -f ~/.ssh/id_rsa ~/.ssh/known_hosts
|