vitalyliber / dokku-github-action

Deploy applications to Dokku
https://vitalyliber.com/courses/deploj-prilozhenij-s-dokku
MIT License
78 stars 32 forks source link

Runs keyscan but then disables hosts checking? #6

Closed WilliamMayor closed 4 years ago

WilliamMayor commented 4 years ago

I might just be misunderstanding something but...

You run ssh-keyscan on the host and save the results to the known_hosts file, but you're telling git to not run strict host checking, and you override the known hosts file location to /dev/null/.

Can you remove the keyscan part? Or does that break things?

Or is it better to turn the host checking back on?

It feels like you don't get much protection from the keyscan in this case because you're running the keyscan immediately before connecting to the host. So of course the host key hasn't changed!

Maybe the results of the keyscan could be added as an optional secret? So we can keyscan when we set up the action and if the host key changes at some point in the future the deploy would fail.

vitalyliber commented 4 years ago

@WilliamMayor thank you for your research! I think you can create new pull request with improvements 👨🏻‍💻

vitalyliber commented 4 years ago

@WilliamMayor thank you! Good work!