From 9463c44034d52b1c9c82d5b5538c3c5b01b98b3c Mon Sep 17 00:00:00 2001
From: Bryan Joshua Pedini <bryan@pedini.dev>
Date: Sun, 1 Feb 2026 18:25:55 +0100
Subject: [PATCH] feat(deploy): improve ssh key handling and deployment
 security

- Remove hardcoded SSH private key file path from workflow
- Use proper SSH directory structure (~/.ssh/) for key storage
- Add known_hosts file for improved SSH security
- Move environment variables to dedicated env block
- Remove StrictHostKeyChecking=no for better security
- Update deploy script to use proper SSH key path
- Maintain deployment path configuration via environment variables
---
 .gitea/workflows/deploy.yaml | 19 ++++++++++++-------
 deploy.sh                    | 13 +++++--------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 6f16986..c9cda49 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -17,8 +17,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - run: echo "${{ secrets.SSH_PRIVATE_KEY }}" > /private.key
-      - run: chmod 600 /private.key
       - run: |
           export HUGO_VERSION=$(curl --silent -I https://github.com/gohugoio/hugo/releases/latest | grep location | sed 's|.*tag/||' | tr -d '\r')
           export HUGO_VERSION_SHORT=$(echo ${HUGO_VERSION} | sed 's/v//')
@@ -27,10 +25,17 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
-      - run: APP_VERSION=latest make
       - run: |
-          export SSH_PRIVATE_KEY=/private.key
-          export SSH_USERNAME=${{ secrets.SSH_USERNAME }}
-          export DEPLOYMENT_HOST=${{ secrets.DEPLOYMENT_HOST }}
-          export DEPLOYMENT_PATH=${{ secrets.DEPLOYMENT_PATH }}
+          mkdir -p ~/.ssh/
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+          make
           make deploy
+        env:
+          SSH_USERNAME: ${{ vars.SSH_USERNAME }}
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
+          DEPLOYMENT_HOST: ${{ vars.DEPLOYMENT_HOST }}
+          DEPLOYMENT_PATH: ${{ vars.DEPLOYMENT_PATH }}
+          APP_VERSION: ${{ vars.GITHUB_REF_NAME }}
diff --git a/deploy.sh b/deploy.sh
index 9c1c20b..3e54b78 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -5,7 +5,6 @@ set -e
 # FLOW
 ###
 #
-# if the private key variable is set, prepend "-i" to it
 # if the username variable is set, append the at sign to it
 # if either the deployment host or deployment path variables are not set, return an error
 # tarball the built website and scp it to the deployment host
@@ -13,11 +12,6 @@ set -e
 # then remove everything in the data path, untar the tarball and reload the server
 # finally remove the tarball, both from the remote host and locally (cleanup)
 
-# Check if the private key variable is set
-if [ ! -z "${SSH_PRIVATE_KEY}" ]; then
-    SSH_PRIVATE_KEY="-i ${SSH_PRIVATE_KEY}"
-fi
-
 # Check if the username variable is set
 if [ ! -z "${SSH_USERNAME}" ]; then
     SSH_USERNAME="${SSH_USERNAME}@"
@@ -29,9 +23,12 @@ if [ -z "${DEPLOYMENT_HOST}" ] || [ -z "${DEPLOYMENT_PATH}" ]; then
     exit 1
 fi
 
+# Compress the built website and scp it to the remote host
 tar -czf httpdocs.tgz -C public .
-scp -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
-ssh -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
+scp ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
+
+# SSH to the remote host, cd to the deployment path, and deploy the website (delete and overwrite everything)
+ssh ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
   cd ${DEPLOYMENT_PATH}
   DATAPATH=$(cat .env | grep "NGINX_DATA" | sed "s/NGINX_DATA=//g")
   rm -rf ${DATAPATH}/{*,.*}