diff --git a/.github/workflows/init.yml b/.github/workflows/init.yml index d59b491..96a92fb 100644 --- a/.github/workflows/init.yml +++ b/.github/workflows/init.yml @@ -97,15 +97,25 @@ jobs: fi # Run sfp CLI from inside the Docker image + # Copy SSH key into a temp dir with correct permissions (container may not run as root) + SSH_DIR=$(mktemp -d) + cp ~/.ssh/deploy_key "$SSH_DIR/deploy_key" + cp ~/.ssh/known_hosts "$SSH_DIR/known_hosts" + chmod 600 "$SSH_DIR/deploy_key" + chmod 644 "$SSH_DIR/known_hosts" + docker run --rm \ - -v ~/.ssh/deploy_key:/root/.ssh/deploy_key:ro \ - -v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \ + --user root \ + -v "$SSH_DIR/deploy_key":/root/.ssh/deploy_key:ro \ + -v "$SSH_DIR/known_hosts":/root/.ssh/known_hosts:ro \ -e DOCKER_REGISTRY \ -e DOCKER_REGISTRY_TOKEN \ -e ORIGIN_CERT \ -e ORIGIN_KEY \ "$SFP_IMAGE" \ - bash -c "$INIT_CMD" + bash -c "chmod 600 /root/.ssh/deploy_key && $INIT_CMD" + + rm -rf "$SSH_DIR" - name: Output init results if: always() diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 444ac43..a672c9e 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -102,13 +102,23 @@ jobs: fi # Run sfp CLI from inside the Docker image + # Copy SSH key into a temp dir with correct permissions + SSH_DIR=$(mktemp -d) + cp ~/.ssh/deploy_key "$SSH_DIR/deploy_key" + cp ~/.ssh/known_hosts "$SSH_DIR/known_hosts" + chmod 600 "$SSH_DIR/deploy_key" + chmod 644 "$SSH_DIR/known_hosts" + docker run --rm \ - -v ~/.ssh/deploy_key:/root/.ssh/deploy_key:ro \ - -v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \ + --user root \ + -v "$SSH_DIR/deploy_key":/root/.ssh/deploy_key:ro \ + -v "$SSH_DIR/known_hosts":/root/.ssh/known_hosts:ro \ -e DOCKER_REGISTRY \ -e DOCKER_REGISTRY_TOKEN \ "$SFP_IMAGE" \ - bash -c "$UPDATE_CMD" + bash -c "chmod 600 /root/.ssh/deploy_key && $UPDATE_CMD" + + rm -rf "$SSH_DIR" - name: Output update results if: always()