Fix SSH key permissions inside Docker container

Run container as root and chmod the mounted SSH key before executing the sfp CLI command. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 11:26:03 +10:00
parent 44020ee09f
commit 00a2a1347a
2 changed files with 26 additions and 6 deletions
@@ -97,15 +97,25 @@ jobs:
          fi

          # Run sfp CLI from inside the Docker image
+          # Copy SSH key into a temp dir with correct permissions (container may not run as root)
+          SSH_DIR=$(mktemp -d)
+          cp ~/.ssh/deploy_key "$SSH_DIR/deploy_key"
+          cp ~/.ssh/known_hosts "$SSH_DIR/known_hosts"
+          chmod 600 "$SSH_DIR/deploy_key"
+          chmod 644 "$SSH_DIR/known_hosts"
+
          docker run --rm \
-            -v ~/.ssh/deploy_key:/root/.ssh/deploy_key:ro \
-            -v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \
+            --user root \
+            -v "$SSH_DIR/deploy_key":/root/.ssh/deploy_key:ro \
+            -v "$SSH_DIR/known_hosts":/root/.ssh/known_hosts:ro \
            -e DOCKER_REGISTRY \
            -e DOCKER_REGISTRY_TOKEN \
            -e ORIGIN_CERT \
            -e ORIGIN_KEY \
            "$SFP_IMAGE" \
-            bash -c "$INIT_CMD"
+            bash -c "chmod 600 /root/.ssh/deploy_key && $INIT_CMD"
+
+          rm -rf "$SSH_DIR"

      - name: Output init results
        if: always()
@@ -102,13 +102,23 @@ jobs:
          fi

          # Run sfp CLI from inside the Docker image
+          # Copy SSH key into a temp dir with correct permissions
+          SSH_DIR=$(mktemp -d)
+          cp ~/.ssh/deploy_key "$SSH_DIR/deploy_key"
+          cp ~/.ssh/known_hosts "$SSH_DIR/known_hosts"
+          chmod 600 "$SSH_DIR/deploy_key"
+          chmod 644 "$SSH_DIR/known_hosts"
+
          docker run --rm \
-            -v ~/.ssh/deploy_key:/root/.ssh/deploy_key:ro \
-            -v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \
+            --user root \
+            -v "$SSH_DIR/deploy_key":/root/.ssh/deploy_key:ro \
+            -v "$SSH_DIR/known_hosts":/root/.ssh/known_hosts:ro \
            -e DOCKER_REGISTRY \
            -e DOCKER_REGISTRY_TOKEN \
            "$SFP_IMAGE" \
-            bash -c "$UPDATE_CMD"
+            bash -c "chmod 600 /root/.ssh/deploy_key && $UPDATE_CMD"
+
+          rm -rf "$SSH_DIR"

      - name: Output update results
        if: always()