From b3238fdd79da2f39b89dac65dbce8777266be8f0 Mon Sep 17 00:00:00 2001 From: Maja Massarini Date: Tue, 14 Apr 2026 12:25:36 +0200 Subject: [PATCH 1/2] Pre-add Pagure host key for root and non-root users - Use ssh-keyscan to pre-add pkgs.fedoraproject.org host key during container build instead of disabling host key verification - Add host key to both /root/.ssh/known_hosts and /etc/ssh/ssh_known_hosts - System-wide known_hosts works for non-root users in OpenShift Assisted-By: Claude Sonnet 4.5 --- Containerfile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Containerfile b/Containerfile index 6f037c0..2945fd3 100644 --- a/Containerfile +++ b/Containerfile @@ -4,12 +4,13 @@ RUN dnf install -y python3-ogr python3-copr python3-koji python3-pip fedpkg krb5 RUN pip3 install --upgrade sentry-sdk && pip3 check -# Configure SSH to not prompt for host key verification -RUN mkdir -p /root/.ssh && \ - echo "Host pkgs.fedoraproject.org" >> /root/.ssh/config && \ - echo " StrictHostKeyChecking accept-new" >> /root/.ssh/config && \ - echo " UserKnownHostsFile /dev/null" >> /root/.ssh/config && \ - chmod 600 /root/.ssh/config +# Add Fedora Pagure host key to system-wide known_hosts +# This works for both root and non-root users (e.g., in OpenShift) +RUN mkdir -p /root/.ssh /etc/ssh && \ + ssh-keyscan -t rsa,ecdsa,ed25519 pkgs.fedoraproject.org >> /root/.ssh/known_hosts && \ + chmod 600 /root/.ssh/known_hosts && \ + ssh-keyscan -t rsa,ecdsa,ed25519 pkgs.fedoraproject.org >> /etc/ssh/ssh_known_hosts && \ + chmod 644 /etc/ssh/ssh_known_hosts RUN pip3 install git+https://github.com/packit/validation.git From 750a655f21c847493c5d623319876588ee6dedd4 Mon Sep 17 00:00:00 2001 From: Maja Massarini Date: Tue, 14 Apr 2026 12:51:08 +0200 Subject: [PATCH 2/2] Add documentation for Pagure related keys --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index facac60..6bda70c 100644 --- a/README.md +++ b/README.md @@ -31,5 +31,10 @@ If you want to run the script on your own: token](https://github.com/settings/tokens) with _public_repo_ scope. - Set a `GITLAB_TOKEN` environment variable holding a [personal access token](https://gitlab.com/-/profile/personal_access_tokens) with _api_ scope. +- Set a `DEPLOYMENT` environment variable to either `production` or `staging`. +- For Pagure tests (optional): + - Set a `PAGURE_TOKEN` environment variable with a Pagure API token. + - Set a `PAGURE_SSH_KEY` environment variable with the path to your SSH private key. + - Set a `PAGURE_KEYTAB` environment variable with the path to your Kerberos keytab file. - Optionally, set a `SENTRY_SECRET` environment variable if you want to send the validation failures to Sentry.