Files
awoooi/.gitea/workflows
Your Name 297afb6998
All checks were successful
Code Review / ai-code-review (push) Successful in 44s
CD Pipeline / tests (push) Successful in 2m17s
CD Pipeline / build-and-deploy (push) Successful in 12m44s
CD Pipeline / post-deploy-checks (push) Successful in 4m26s
fix(ci): require all 4 host keys before overwriting ssh-mcp-key secret
When ssh-keyscan partially fails (e.g. one host is unreachable for a
moment) the previous logic still considered the file non-empty, so it
patched ssh-mcp-key/known_hosts with an incomplete set. asyncssh then
rejected any SSH to the missing host with "Host key is not trusted",
which routed every host disk-full / docker alert into the emergency
escalation channel and spammed Telegram (today's regression for 110).

Now we explicitly verify all four target IPs (110/120/121/188) appear
in the scan output before patching. Missing any of them aborts the
patch and keeps the previously-good secret untouched, plus logs the
ssh-keyscan stderr to help debug intermittent network issues.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 17:14:30 +08:00
..