vantzs/corrosion-admin-panel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity

fix(ci): base64-decode minisign secret key (CI mangles multi-line); bump alpha.8
Some checks failed
CI / backend-types (push) Successful in 9s
Details
CI / frontend-build (push) Successful in 16s
Details
CI / agent-tests (push) Successful in 1m30s
Details
CI / integration (push) Failing after 13s
Details
Build Host Agent (Rust) / build (push) Successful in 1m45s
Details

Browse Source 
The 'Sign artifacts' step failed on alpha.7 with 'Error while loading the
secret key file' (exit 2): minisign downloaded and ran, but the reconstructed
key file was unparseable. A minisign secret key is two lines (comment + base64
blob); Gitea/act_runner secret storage mangles the embedded newline, collapsing
it to one line. Decode the secret as base64 (single-line, mangling-proof) with
auto-detect fallback to a raw two-line key. Fails loudly with the fix command
if the secret is neither form.

Requires re-storing MINISIGN_SECRET_KEY as: base64 < secret.key | tr -d '\n'

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
2026-06-11 20:31:48 -04:00
parent 702de24e28
commit f18b45e3f2
3 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.gitea/workflows/build-host-agent.yml
View File

@@ -81,7 +81,21 @@ jobs:
MINISIGN="$(find /tmp -type f -name minisign -path '*linux*' | head -1)"
chmod +x "$MINISIGN"
"$MINISIGN" -v
printf '%s\n' "$MINISIGN_SECRET_KEY" > /tmp/sign.key
# A minisign secret key file is TWO lines (comment + base64 blob). CI
# secret storage mangles embedded newlines, collapsing it to one line
# so minisign can't load it. Preferred form: store the secret
# base64-encoded (single line) — we decode it here. Auto-detect so a
# correctly-stored raw two-line key still works.
if printf '%s' "$MINISIGN_SECRET_KEY" | base64 -d 2>/dev/null | head -1 | grep -q "untrusted comment:"; then
printf '%s' "$MINISIGN_SECRET_KEY" | base64 -d > /tmp/sign.key
else
printf '%s\n' "$MINISIGN_SECRET_KEY" > /tmp/sign.key
fi
if ! head -1 /tmp/sign.key | grep -q "untrusted comment:"; then
echo "::error::MINISIGN_SECRET_KEY is neither base64 of a minisign key nor a raw two-line key file. Store it as: base64 < your-secret.key | tr -d '\n'"
rm -f /tmp/sign.key
exit 1
fi
cd corrosion-host-agent/bin
# Passwordless key (-W generated); feed empty stdin so it never blocks.
for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do