From f18b45e3f26d6c375f5ff5eed47b16282fe545e2 Mon Sep 17 00:00:00 2001 From: Vantz Stockwell Date: Thu, 11 Jun 2026 20:31:48 -0400 Subject: [PATCH] fix(ci): base64-decode minisign secret key (CI mangles multi-line); bump alpha.8 The 'Sign artifacts' step failed on alpha.7 with 'Error while loading the secret key file' (exit 2): minisign downloaded and ran, but the reconstructed key file was unparseable. A minisign secret key is two lines (comment + base64 blob); Gitea/act_runner secret storage mangles the embedded newline, collapsing it to one line. Decode the secret as base64 (single-line, mangling-proof) with auto-detect fallback to a raw two-line key. Fails loudly with the fix command if the secret is neither form. Requires re-storing MINISIGN_SECRET_KEY as: base64 < secret.key | tr -d '\n' Co-Authored-By: Claude Opus 4.8 --- .gitea/workflows/build-host-agent.yml | 16 +++++++++++++++- corrosion-host-agent/Cargo.lock | 2 +- corrosion-host-agent/Cargo.toml | 2 +- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/build-host-agent.yml b/.gitea/workflows/build-host-agent.yml index 4cfc3a4..3a7bdeb 100644 --- a/.gitea/workflows/build-host-agent.yml +++ b/.gitea/workflows/build-host-agent.yml @@ -81,7 +81,21 @@ jobs: MINISIGN="$(find /tmp -type f -name minisign -path '*linux*' | head -1)" chmod +x "$MINISIGN" "$MINISIGN" -v - printf '%s\n' "$MINISIGN_SECRET_KEY" > /tmp/sign.key + # A minisign secret key file is TWO lines (comment + base64 blob). CI + # secret storage mangles embedded newlines, collapsing it to one line + # so minisign can't load it. Preferred form: store the secret + # base64-encoded (single line) — we decode it here. Auto-detect so a + # correctly-stored raw two-line key still works. + if printf '%s' "$MINISIGN_SECRET_KEY" | base64 -d 2>/dev/null | head -1 | grep -q "untrusted comment:"; then + printf '%s' "$MINISIGN_SECRET_KEY" | base64 -d > /tmp/sign.key + else + printf '%s\n' "$MINISIGN_SECRET_KEY" > /tmp/sign.key + fi + if ! head -1 /tmp/sign.key | grep -q "untrusted comment:"; then + echo "::error::MINISIGN_SECRET_KEY is neither base64 of a minisign key nor a raw two-line key file. Store it as: base64 < your-secret.key | tr -d '\n'" + rm -f /tmp/sign.key + exit 1 + fi cd corrosion-host-agent/bin # Passwordless key (-W generated); feed empty stdin so it never blocks. for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do diff --git a/corrosion-host-agent/Cargo.lock b/corrosion-host-agent/Cargo.lock index ae2c593..6180f9b 100644 --- a/corrosion-host-agent/Cargo.lock +++ b/corrosion-host-agent/Cargo.lock @@ -276,7 +276,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" [[package]] name = "corrosion-host-agent" -version = "2.0.0-alpha.6" +version = "2.0.0-alpha.8" dependencies = [ "anyhow", "async-nats", diff --git a/corrosion-host-agent/Cargo.toml b/corrosion-host-agent/Cargo.toml index 8f6d71b..2eaea17 100644 --- a/corrosion-host-agent/Cargo.toml +++ b/corrosion-host-agent/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "corrosion-host-agent" -version = "2.0.0-alpha.7" +version = "2.0.0-alpha.8" edition = "2021" description = "Corrosion Host Agent — multi-game ops runtime for self-hosted game servers" license = "UNLICENSED"