From c5cb9df4681439de905cd4d8f5329ab709c2eea0 Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Fri, 15 May 2026 14:44:51 -0300
Subject: [PATCH] fix: use env var + sed for SSH key CRLF/escaped-newline
 handling

Pass secret via env var (not inline), strip \r, convert literal \n to real newlines.
Added head/wc debug output to diagnose key format.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-nalu.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy-nalu.yml b/.gitea/workflows/deploy-nalu.yml
index 728deee..4893f39 100644
--- a/.gitea/workflows/deploy-nalu.yml
+++ b/.gitea/workflows/deploy-nalu.yml
@@ -87,11 +87,16 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Setup SSH
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" | tr -d '\r' > ~/.ssh/id_rsa
+        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
         echo "" >> ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
+        # debug key format (no content exposed)
+        head -1 ~/.ssh/id_rsa
+        wc -l ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
 
     - name: Build image on ARM server
@@ -196,9 +201,11 @@ jobs:
         echo "✅ appsettings.nalu.json gerado"
 
     - name: Deploy nalu stack
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" | tr -d '\r' > ~/.ssh/id_rsa
+        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
         echo "" >> ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
@@ -256,9 +263,11 @@ jobs:
 
     steps:
     - name: Cleanup
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" | tr -d '\r' > ~/.ssh/id_rsa
+        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
         echo "" >> ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null