From 3c9733ae5d311056d6e8458b0cdba885ce2b73cc Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 13:55:10 +0300 Subject: [PATCH 1/6] override SOURCE_REPO Signed-off-by: Maksim Khimchenko --- templates/Build.gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/Build.gitlab-ci.yml b/templates/Build.gitlab-ci.yml index d1689fa..2136ee7 100644 --- a/templates/Build.gitlab-ci.yml +++ b/templates/Build.gitlab-ci.yml @@ -30,6 +30,10 @@ variables: .build: stage: build script: + # Use gitlab ci job token + - | + export SOURCE_REPO=https://gitlab-ci-token:${CI_JOB_TOKEN}@${SOURCE_REPO#git@} + # Build images - | werf build \ From 1254386f1759124767798d6b3dacdd82941d18f2 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 14:18:05 +0300 Subject: [PATCH 2/6] SOURCE_REPO=${SOURCE_REPO#git@} SOURCE_REPO=${SOURCE_REPO//://} Signed-off-by: Maksim Khimchenko --- templates/Build.gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/Build.gitlab-ci.yml b/templates/Build.gitlab-ci.yml index 2136ee7..e62feb6 100644 --- a/templates/Build.gitlab-ci.yml +++ b/templates/Build.gitlab-ci.yml @@ -32,7 +32,9 @@ variables: script: # Use gitlab ci job token - | - export SOURCE_REPO=https://gitlab-ci-token:${CI_JOB_TOKEN}@${SOURCE_REPO#git@} + SOURCE_REPO=${SOURCE_REPO#git@} + SOURCE_REPO=${SOURCE_REPO//://} + export SOURCE_REPO=https://gitlab-ci-token:${CI_JOB_TOKEN}@${SOURCE_REPO} # Build images - | From 977bec504978bc9e25e4086b62ae3d6422072681 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 14:45:45 +0300 Subject: [PATCH 3/6] remove source repo and ssh from setup job Signed-off-by: Maksim Khimchenko --- templates/Setup.gitlab-ci.yml | 48 ++++++++++------------------------- 1 file changed, 14 insertions(+), 34 deletions(-) diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 3dac303..2777417 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -5,8 +5,6 @@ # $DEV_MODULES_REGISTRY - dev registry path # $DEV_MODULES_REGISTRY_LOGIN - login to dev registry # $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry -# $SOURCE_REPO - Source repository address for the module -# $SOURCE_REPO_SSH_KEY - SSH private key for the source repository # $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry # $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry # $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry @@ -79,10 +77,7 @@ before_script: # Add ssh keys - | - if [[ -n "${SOURCE_REPO_SSH_KEY_B64}" ]]; then - SOURCE_REPO_SSH_KEY=$(echo "${SOURCE_REPO_SSH_KEY_B64}" | base64 -d) - fi - if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then eval $(ssh-agent) trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM @@ -90,36 +85,21 @@ before_script: mkdir -p ~/.ssh touch ~/.ssh/known_hosts - if [[ -n "${SOURCE_REPO_SSH_KEY}" ]]; then - ssh-add - <<< "${SOURCE_REPO_SSH_KEY}" - if [[ -n "${SOURCE_REPO}" ]]; then - HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${SOURCE_REPO}) - HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null) - while IFS= read -r KEY_LINE; do - CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE") - if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then - echo "$KEY_LINE" >> ~/.ssh/known_hosts - fi - done <<< "$HOST_KEYS" - fi + echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add - + if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then + echo "Adding svace ssh key (ignoring errors)." + set +e + HOST=${SVACE_ANALYZE_HOST} + HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null) + while IFS= read -r KEY_LINE; do + CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE") + if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then + echo "$KEY_LINE" >> ~/.ssh/known_hosts + fi + done <<< "$HOST_KEYS" + set -e fi - if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then - echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add - - if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then - echo "Adding svace ssh key (ignoring errors)." - set +e - HOST=${SVACE_ANALYZE_HOST} - HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null) - while IFS= read -r KEY_LINE; do - CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE") - if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then - echo "$KEY_LINE" >> ~/.ssh/known_hosts - fi - done <<< "$HOST_KEYS" - set -e - fi - fi fi stages: From 998e1c95a7037d69498556ebf5e1deadfef97fd1 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 16:07:19 +0300 Subject: [PATCH 4/6] add backward compatibility for svace ssh private key var Signed-off-by: Maksim Khimchenko --- templates/Setup.gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 2777417..9fe18e5 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -77,6 +77,9 @@ before_script: # Add ssh keys - | + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then + SVACE_ANALYZE_SSH_PRIVATE_KEY_B64=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | base64 -d) + fi if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then eval $(ssh-agent) From e22d7261eb5b5ad7ee6504baac497f36b7330693 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 16:14:30 +0300 Subject: [PATCH 5/6] fix backward compatibility Signed-off-by: Maksim Khimchenko --- templates/Setup.gitlab-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 9fe18e5..1b9ab9f 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -77,18 +77,18 @@ before_script: # Add ssh keys - | - if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then - SVACE_ANALYZE_SSH_PRIVATE_KEY_B64=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | base64 -d) - fi if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then + SVACE_ANALYZE_SSH_PRIVATE_KEY=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d) + fi + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then eval $(ssh-agent) trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM export SSH_KNOWN_HOSTS=~/.ssh/known_hosts mkdir -p ~/.ssh touch ~/.ssh/known_hosts - echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add - + echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | ssh-add - if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then echo "Adding svace ssh key (ignoring errors)." set +e From c8fd7d570fb7a761839e261cde83aebd9acda4d1 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 22 May 2026 16:31:50 +0300 Subject: [PATCH 6/6] backward compatibility of ssh key add for svace analyze job Signed-off-by: Maksim Khimchenko --- templates/Svace_Analayze.gitlab-ci.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/Svace_Analayze.gitlab-ci.yml b/templates/Svace_Analayze.gitlab-ci.yml index ee42a8f..b66bfdd 100644 --- a/templates/Svace_Analayze.gitlab-ci.yml +++ b/templates/Svace_Analayze.gitlab-ci.yml @@ -38,7 +38,11 @@ echo "Using new ssh auth sock: ${SSH_AUTH_SOCK}" fi - echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add - + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then + SVACE_ANALYZE_SSH_PRIVATE_KEY=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d) + fi + + echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | ssh-add - # Add Svace analyze host to known_hosts - |