Replaces StrictHostKeyChecking=no with a pinned SSH host key (known_hosts) across the entire deploy pipeline
Adds knownHosts *dagger.Secret parameter to Deployer(), DeployLinux(), DeployApk(), PublishWebsite(), BuildWebsite(), and GenerateBuildHistory() in ci/main.go
Mounts the SSH_KNOWN_HOSTS secret at /root/.ssh/known_hosts (mode 0644) in both the Deployer container and the GenerateBuildHistory container
Removes -o StrictHostKeyChecking=no from all ssh/scp/rsync calls in ci/main.go and scripts/generate_build_history.py
Updates Taskfile dagger tasks (deploy-linux, deploy-apk, publish-website) to require and pass SSH_KNOWN_HOSTS
Fixes non-Dagger Taskfile tasks to write SSH_KNOWN_HOSTS to ~/.ssh/known_hosts before SSH commands
Updates .forgejo/workflows/deploy.yml to pass SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
Updates .github/workflows/ci.yml SSH setup step to populate known_hosts
Setup required
Run ssh-keyscan <deploy-host> on a trusted machine and store the output as a Codeberg secret named SSH_KNOWN_HOSTS.
Test plan
Verify StrictHostKeyChecking=no no longer appears anywhere in the codebase
Confirm SSH_KNOWN_HOSTS secret is added to Codeberg repository secrets before deploy workflow runs
## Summary
- Replaces `StrictHostKeyChecking=no` with a pinned SSH host key (`known_hosts`) across the entire deploy pipeline
- Adds `knownHosts *dagger.Secret` parameter to `Deployer()`, `DeployLinux()`, `DeployApk()`, `PublishWebsite()`, `BuildWebsite()`, and `GenerateBuildHistory()` in `ci/main.go`
- Mounts the `SSH_KNOWN_HOSTS` secret at `/root/.ssh/known_hosts` (mode 0644) in both the Deployer container and the GenerateBuildHistory container
- Removes `-o StrictHostKeyChecking=no` from all `ssh`/`scp`/`rsync` calls in `ci/main.go` and `scripts/generate_build_history.py`
- Updates Taskfile dagger tasks (`deploy-linux`, `deploy-apk`, `publish-website`) to require and pass `SSH_KNOWN_HOSTS`
- Fixes non-Dagger Taskfile tasks to write `SSH_KNOWN_HOSTS` to `~/.ssh/known_hosts` before SSH commands
- Updates `.forgejo/workflows/deploy.yml` to pass `SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}`
- Updates `.github/workflows/ci.yml` SSH setup step to populate `known_hosts`
## Setup required
Run `ssh-keyscan <deploy-host>` on a trusted machine and store the output as a Codeberg secret named `SSH_KNOWN_HOSTS`.
## Test plan
- [ ] Verify `StrictHostKeyChecking=no` no longer appears anywhere in the codebase
- [ ] Confirm `SSH_KNOWN_HOSTS` secret is added to Codeberg repository secrets before deploy workflow runs
- [ ] Deploy job passes after secret is set
Closes #161
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Summary
StrictHostKeyChecking=nowith a pinned SSH host key (known_hosts) across the entire deploy pipelineknownHosts *dagger.Secretparameter toDeployer(),DeployLinux(),DeployApk(),PublishWebsite(),BuildWebsite(), andGenerateBuildHistory()inci/main.goSSH_KNOWN_HOSTSsecret at/root/.ssh/known_hosts(mode 0644) in both the Deployer container and the GenerateBuildHistory container-o StrictHostKeyChecking=nofrom allssh/scp/rsynccalls inci/main.goandscripts/generate_build_history.pydeploy-linux,deploy-apk,publish-website) to require and passSSH_KNOWN_HOSTSSSH_KNOWN_HOSTSto~/.ssh/known_hostsbefore SSH commands.forgejo/workflows/deploy.ymlto passSSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}.github/workflows/ci.ymlSSH setup step to populateknown_hostsSetup required
Run
ssh-keyscan <deploy-host>on a trusted machine and store the output as a Codeberg secret namedSSH_KNOWN_HOSTS.Test plan
StrictHostKeyChecking=nono longer appears anywhere in the codebaseSSH_KNOWN_HOSTSsecret is added to Codeberg repository secrets before deploy workflow runsCloses #161
🤖 Generated with Claude Code