mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-30 02:49:32 +02:00
Shadowbroker
41799f9891
* feat(ci): switch mirror-to-github job from PAT to per-repo SSH deploy key GitHub fine-grained PATs are capped at 366 days, classic PATs would need 'public_repo' (broader scope than needed). Per-repo SSH deploy keys are tighter: - Can ONLY push to BigBodyCobain/Shadowbroker (no access to anything else, not even other repos owned by the same account). - Never expire. - Rotating == one-click delete on github.com/.../settings/keys. Changes: - New CI/CD variable GITHUB_MIRROR_SSH_KEY (File, Protected) holding the ed25519 private half. Public half lives on the repo's deploy keys with write access enabled. - mirror-to-github before_script writes the key to ~/.ssh/id_ed25519, pins github.com host fingerprints (ed25519 + ecdsa + rsa from the 2023-03-24 rotation) into ~/.ssh/known_hosts so we never trust a MITM, then pushes via git@github.com:... instead of HTTPS. - Job rule now gates on GITHUB_MIRROR_SSH_KEY (the new var) instead of GITHUB_MIRROR_TOKEN (which never existed). After this lands, every commit pushed directly to GitLab main will mirror back to GitHub main automatically — closing the loop on bi-directional sync. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(secret-scan): exempt SSH known_hosts entries from leaked-key detection PR #331 introduced github.com host fingerprints pinned in .gitlab-ci.yml's mirror-to-github before_script. The scanner flagged them as embedded secrets and blocked CI: BLOCKED: Embedded secrets/tokens found in: .gitlab-ci.yml 133: github.com ssh-ed25519 AAAA... 135: github.com ssh-rsa AAAA... These are PUBLIC host keys — the whole point of pinning known_hosts is to publish the fingerprint widely so a MITM is detectable. They are documented at https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints and committing them is the correct, secure practice. Fix: add a KNOWN_HOSTS_LINE regex to the content-scan block that recognizes `<host-or-ip> [salt] <algo> AAAA...` shape lines (the exact format used in ~/.ssh/known_hosts) and filters them out before flagging the file. Bare `ssh-rsa AAAA...` lines without a host prefix are still caught — only the host-key shape is exempt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>