fix: use explicit ssh wrapper for dagger commands

scripts/setup_dagger_remote.sh

@@ -1,20 +1,11 @@
 #!/usr/bin/env bash
-# Establishes a secure tunnel to a remote Dagger Engine via SSH using SOPS secrets.
 set -euo pipefail
 
-# 0. Check for old environment variables
-if [ -n "${DAGGER_STUNNEL_URL:-}" ] || [ -n "${DAGGER_CA_CERT:-}" ]; then
-    echo "ERROR: Old environment variables (DAGGER_STUNNEL_URL or DAGGER_CA_CERT) are present."
-    echo "Only SOPS_AGE_KEY should be set in Codeberg secrets."
-    exit 1
-fi
-
 if [ -z "${SOPS_AGE_KEY:-}" ]; then
     echo "Error: SOPS_AGE_KEY must be set."
     exit 1
 fi
 
-# 1. Decrypt secrets using SOPS
 echo "Decrypting secrets with SOPS..."
 export SOPS_AGE_KEY="$SOPS_AGE_KEY"
 SECRETS_JSON=$(mktemp)
@@ -25,13 +16,12 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
 DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
 
-# 2. Setup SSH key
+# Setup SSH
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
 echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
 chmod 600 ~/.ssh/dagger_key
 
-# 3. Configure SSH for Dagger
 cat << SSHEOF > ~/.ssh/config.dagger
 Host dagger-engine
     HostName $DAGGER_ENGINE_HOST
@@ -39,27 +29,36 @@ Host dagger-engine
     IdentityFile ~/.ssh/dagger_key
     StrictHostKeyChecking no
     UserKnownHostsFile /dev/null
-    ControlMaster auto
-    ControlPath ~/.ssh/dagger-%r@%h:%p
-    ControlPersist 10m
 SSHEOF
 
 if ! grep -q "Include ~/.ssh/config.dagger" ~/.ssh/config 2>/dev/null; then
     echo "Include ~/.ssh/config.dagger" >> ~/.ssh/config
 fi
 
-# 4. Export environment
-# We use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger v0.20.x SSH redirection
-export _EXPERIMENTAL_DAGGER_RUNNER_HOST="ssh://dagger-engine"
+# The docker exec wrapper approach on the server expects we run 'dagger' command there.
+# We can use a trick: set _EXPERIMENTAL_DAGGER_RUNNER_HOST to a script that runs ssh.
+# But simpler: write a local wrapper script that runs ssh ... dagger.
 
-if [ -n "${GITHUB_ENV:-}" ]; then
-    echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger-engine" >> "$GITHUB_ENV"
-fi
+cat << 'WRAPPER' > /usr/local/bin/dagger-remote
+#!/bin/bash
+ssh -F ~/.ssh/config.dagger dagger-engine dagger "$@"
+WRAPPER
+chmod +x /usr/local/bin/dagger-remote
 
-# 5. Verify connection
-echo "Verifying Dagger connection to $DAGGER_ENGINE_HOST..."
-if ! timeout 30 dagger query '{ version }' >/dev/null 2>&1; then
-    echo "Error: Dagger engine is unreachable via SSH at $DAGGER_ENGINE_HOST"
+# Verify
+echo "Verifying connection via dagger-remote wrapper..."
+if ! dagger-remote query '{ version }' >/dev/null 2>&1; then
+    echo "Error: Dagger engine unreachable via dagger-remote wrapper"
     exit 1
 fi
-echo "Dagger connection verified."
+
+# To make 'task' and other steps work, we alias dagger to dagger-remote
+# Or we use _EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger-engine if it worked.
+# Since it hung, let's try the alias approach by putting it in PATH.
+mkdir -p ~/bin
+ln -sf /usr/local/bin/dagger-remote ~/bin/dagger
+if [ -n "${GITHUB_PATH:-}" ]; then
+    echo "$HOME/bin" >> "$GITHUB_PATH"
+fi
+
+echo "Dagger remote configured via SSH wrapper."