CI: Handle SSH host keys in upload script

Add a known_hosts option when opening SFTP connections in the upload script, to validate that the host we are connecting to is indeed the one we expect. The data in OpenSSH's known_hosts format is picked from the UPLOAD_SSH_KNOWN_HOSTS environment variable.
Igalia · Nov 6, 2023 · b86a9ea · b86a9ea
1 parent fa681e3
commit b86a9ea
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -40,3 +40,4 @@ jobs:
           exit 0
         env:
           UPLOAD_KEY_PASSWD: ${{ secrets.UPLOAD_KEY_PASSWD }}
+          UPLOAD_SSH_KNOWN_HOSTS: ${{ secrets.UPLOAD_SSH_KNOWN_HOSTS }}
diff --git a/.github/workflows/upload.py b/.github/workflows/upload.py
@@ -74,7 +74,9 @@ def __repr__(self) -> str:
 
 
 async def with_sftp(fn, *arg, **kw):
-    async with asyncssh.connect("wpewebkit.org", port=7575, username="www-data", passphrase=os.getenv("UPLOAD_KEY_PASSWD")) as conn:
+    async with asyncssh.connect("wpewebkit.org", port=7575, username="www-data",
+                                known_hosts=asyncssh.import_known_hosts(os.getenv("UPLOAD_SSH_KNOWN_HOSTS")),
+                                passphrase=os.getenv("UPLOAD_KEY_PASSWD")) as conn:
         async with conn.start_sftp_client() as sftp:
             return await fn(sftp, *arg, **kw)