fix: bust stale Dagger cache and harden SSH key normalisation in Deployer #406

2026-06-04T04:43:18Z

guettlibot commented

2026-06-04 04:43:18 +00:00

(Migrated from codeberg.org)

Summary

Fixes the persistent Load key "/root/.ssh/id_ed25519": error in libcrypto failures in the deploy-apk and deploy-linux CI jobs (and the website workflow SSH steps) that have been occurring on every deploy run since the jobs first started running after #369.

Closes #404

Root cause (diagnosed from run #1516 log)

Two compounding problems were found:

Stale Dagger cache — The tr -d \x27\r\x27 normalisation step added in #369 was shown as CACHED by Dagger on every subsequent run. Dagger caches by input-content hash; if the very first execution produced a corrupted key file, that broken cached layer is replayed forever.
.ssh/ directory permissions — Dagger creates parent directories for secret mounts with 755 permissions. Mounting the raw key directly inside /root/.ssh/ may cause Dagger to (re-)create that directory with 755 instead of the 700 that OpenSSH requires.

Changes (`ci/main.go` — `Deployer` function only)

Explicit .ssh setup: mkdir -p /root/.ssh && chmod 700 /root/.ssh runs before any Dagger secret mount.
Move raw-key mount out of .ssh/: Secret mounted at /tmp/id_ed25519.raw.
Python3 normalisation instead of tr: Handles CRLF, bare-CR, and missing trailing newline. Changing the command changes the Dagger cache key, forcing a fresh read of the current live secret.

Test plan

deploy-apk job completes without error in libcrypto
deploy-linux job completes without error in libcrypto
publish-android (Play Store) job continues to succeed

🤖 Generated with Claude Code

## Summary Fixes the persistent `Load key "/root/.ssh/id_ed25519": error in libcrypto` failures in the `deploy-apk` and `deploy-linux` CI jobs (and the `website` workflow SSH steps) that have been occurring on every deploy run since the jobs first started running after #369. Closes #404 ### Root cause (diagnosed from run #1516 log) Two compounding problems were found: 1. **Stale Dagger cache** — The `tr -d \x27\r\x27` normalisation step added in #369 was shown as `CACHED` by Dagger on every subsequent run. Dagger caches by input-content hash; if the very first execution produced a corrupted key file, that broken cached layer is replayed forever. 2. **`.ssh/` directory permissions** — Dagger creates parent directories for secret mounts with 755 permissions. Mounting the raw key directly inside `/root/.ssh/` may cause Dagger to (re-)create that directory with 755 instead of the 700 that OpenSSH requires. ### Changes (`ci/main.go` — `Deployer` function only) - **Explicit `.ssh` setup**: `mkdir -p /root/.ssh && chmod 700 /root/.ssh` runs before any Dagger secret mount. - **Move raw-key mount out of `.ssh/`**: Secret mounted at `/tmp/id_ed25519.raw`. - **Python3 normalisation instead of `tr`**: Handles CRLF, bare-CR, and missing trailing newline. Changing the command changes the Dagger cache key, forcing a fresh read of the current live secret. ## Test plan - [ ] `deploy-apk` job completes without `error in libcrypto` - [ ] `deploy-linux` job completes without `error in libcrypto` - [ ] `publish-android` (Play Store) job continues to succeed 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: guettli/sharedinbox#406

fix: bust stale Dagger cache and harden SSH key normalisation in Deployer #406

Summary

Root cause (diagnosed from run #1516 log)

Changes (ci/main.go — Deployer function only)

Test plan

Changes (`ci/main.go` — `Deployer` function only)