[Fixes: mosip/mosip-infra#1874] Update SSH key secret and token refer…

[Ivanmeneges]

…ences

Summary by CodeRabbit

• Chores
  • Updated the CI/CD onboarding workflow to select the jumpserver SSH private key via a new dispatch input and added early validation for required secrets.
  • Switched repository authentication in the workflow to use the updated token secret for checkout and Git operations.
• Bug Fixes
  • Improved WireGuard peer allocation and assignment recording reliability, with safer remote file handling and more robust rollback when onboarding fails.
  • Enhanced peer reuse/selection validation and improved behavior during dry runs.

[coderabbitai]

Warning

Review limit reached

@Ivanmeneges, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 39 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 056908fb-8fab-4b45-8b74-28afc6b4ba6b

📥 Commits

Reviewing files that changed from the base of the PR and between 7059f82 and 61a54b6.

📒 Files selected for processing (2)

• .github/scripts/wg-onboard.sh
• .github/workflows/wg-onboard.yml

Walkthrough

The PR updates the WireGuard onboarding workflow and script to improve credential handling, execution isolation, and peer allocation robustness. The workflow renames the SSH key dispatch input from SSH_PRIVATE_KEY to MOSIP_AWS_PEM, switches all GitHub tokens from PAT_TOKEN to ACTION_PAT, moves the job to a self-hosted runner with concurrency control, and adds required-secrets validation. The script introduces safer remote SSH execution patterns (quoting helpers, explicit argv separation), atomic file operations (temp files with mv-based updates), peer allocation validation (constraint checks, reuse reorganization), and multi-stage error recovery with rollback helpers for secret publication and assignment state.

Changes

WireGuard Onboarding Credential Updates and Allocation Robustness

Layer / File(s)	Summary
Workflow credential inputs and job execution environment .github/workflows/wg-onboard.yml	Renames dispatch input to MOSIP_AWS_PEM; adds job permissions, concurrency, and switches to self-hosted runner with required-secrets validation; SSH key is written from secrets.MOSIP_AWS_PEM to a temp file with cleanup; checkout and commit steps use secrets.ACTION_PAT; commit stage includes git pull --rebase --autostash with failure handling.
Script initialization and safer argument parsing .github/scripts/wg-onboard.sh	Updates argument parsing to use ${2-} substitution for all flags; introduces TRACKER_TMP cleanup to handle temporary tracker files on exit.
Remote SSH command safety and preflight validation .github/scripts/wg-onboard.sh	Adds remote_quote() helper; updates peer discovery and config existence checks to safely quote remote paths; reworks atomic allocation and rollback to use ssh_cmd bash -s -- with explicit argv separation; adds preflight permission validation for assignment file with actionable error messaging.
Atomic file operations and assignment recording .github/scripts/wg-onboard.sh	Adds assigned_file_writable() and atomic_replace_file() remote helpers; modifies record_assignment() to create temp files in target directory and atomically replace via mv; updates remove_peer_line to use atomic replace; replaces tracker mirror temp-file approach with mktemp in destination directory and atomic mv.
Peer allocation: reuse, forced overrides, and constraint validation .github/scripts/wg-onboard.sh	Reorganizes peer reuse detection to conditionally parse assigned content (colon-format) or derive from secrets (MOSIP-format); applies forced peer overrides with conflict checks; adds peer number constraint validation (1..MAX_PEERS range); performs allocation writability check before recording.
Error handling and rollback for environment and secret publication .github/scripts/wg-onboard.sh	Adds DRY_RUN guard in fetch_and_transform() to skip missing peer configs; wraps GitHub environment creation with error handling and assignment rollback on failure; adds rollback_published_secrets() and rollback_allocation_state() helpers; calls rollback on secret publication failure to delete already-published secrets and undo assignment state.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• mosip/infra#247: Introduces the initial atomic_allocate_peers and rollback patterns that this PR extends with safer SSH patterns, atomic file operations, and multi-stage error recovery.
• mosip/infra#249: Modifies the same wg-onboard.yml workflow, establishing the GitHub token handling and script execution that this PR refines with new credential input, concurrency control, and SSH key cleanup.

Poem

🐇 Atomicity hops through SSH's gentle door,
MOSIP_AWS_PEM guards secrets evermore!
Rollbacks and temp files dance in perfect sync,
While peer constraints keep chaos at the brink.
The onboarding flow now bounces with delight! 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is truncated and does not clearly convey the main changes; it refers to fixing SSH key and token references but omits critical context about the WireGuard onboarding workflow and shell script improvements.	Expand the title to be more descriptive. Example: 'Improve WireGuard onboarding workflow: fix SSH key secrets and add atomic peer allocation logic' or similar to better represent the scope of changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Ivanmeneges-patch-4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Around line 58-59: The workflow is using dynamic secret resolution where the
secret name is controlled by user input (inputs.MOSIP_AWS_PEM), which allows
dispatch inputs to select arbitrary repository secrets and violates
least-privilege principles. Replace the dynamic secret reference in SSH_KEY with
a fixed, hardcoded secret name instead of ${{ secrets[inputs.MOSIP_AWS_PEM] }},
and update SSH_KEY_NAME to use the same fixed secret name instead of the user
input, ensuring only predetermined secrets can be accessed regardless of
dispatch parameters.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 038f1b16-66e6-48fb-a9bb-0f6aeb370d30

📥 Commits

Reviewing files that changed from the base of the PR and between f78e792 and b25d2d9.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

The agent generated fixes only for .github/workflows/ files, which cannot be committed due to permission restrictions. Please apply these changes manually.

---

⚠️ 1 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/wg-onboard.yml — 1 change:

Lines 55–62

 
       - name: Write SSH private key
         env:
-          SSH_KEY: ${{ secrets[inputs.MOSIP_AWS_PEM] }}
-          SSH_KEY_NAME: ${{ inputs.MOSIP_AWS_PEM }}
+          SSH_KEY: ${{ secrets.MOSIP_AWS_PEM }}
+          SSH_KEY_NAME: MOSIP_AWS_PEM
         run: |
           mkdir -p ~/.ssh
           # Use printf + strip CR so multi-line PEMs / CRLF secrets are written intact

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Around line 60-61: The workflow now references the secrets.MOSIP_AWS_PEM
secret for the SSH key, but this secret must be configured in the repository for
the workflow to function. Navigate to the repository settings under Secrets and
variables, create a new repository secret named MOSIP_AWS_PEM, and paste a valid
SSH private key into it. This secret will be used by the SSH_KEY environment
variable during the workflow execution, and without it, the validation step
(lines 67-70) where ssh-keygen verifies the key format will fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 59a6248e-ed70-4279-aea5-58daa3873db6

📥 Commits

Reviewing files that changed from the base of the PR and between b25d2d9 and d4b5894.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/scripts/wg-onboard.sh (1)

312-363: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle a missing assignment file consistently.

The preflight allows assigned.txt to be absent when its directory is writable, but record_assignment() still runs awk ... "$file"; under set -e, the first write exits before creating any assignment. Use /dev/null as the input when the file does not exist.

🐛 Suggested fix

-  local dir tmp
+  local dir tmp input
   dir="$(dirname "$file")"
+  input="$file"
+  [[ -e "$input" ]] || input=/dev/null
   tmp="$(mktemp "$dir/.assigned.XXXXXX")" || {
     echo "ERROR: cannot create temp file in $dir" >&2
     return 1
   }
@@
-    ' "$file" > "$tmp"
+    ' "$input" > "$tmp"
@@
-    ' "$file" > "$tmp"
+    ' "$input" > "$tmp"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/wg-onboard.sh around lines 312 - 363, In the
record_assignment() function, both awk command invocations (one in the if block
for "colon" format and one in the else block) attempt to read from "$file" which
may not exist. When the file doesn't exist and set -e is enabled, the script
exits before creating the assignment. Modify both awk invocations to use
/dev/null as the input file when "$file" does not exist, by checking if the file
is present first and passing either "$file" or "/dev/null" to awk accordingly,
so the function can create new assignments even when the file doesn't initially
exist.

🧹 Nitpick comments (1)

.github/workflows/wg-onboard.yml (1)

53-57: ⚡ Quick win

Pass secrets through env before checking them.

Lines 56-57 expand secrets directly into the generated shell script; for the multiline private key, that makes secret contents part of Bash syntax before execution. Use step environment variables and test those instead.

🔐 Suggested refactor

       - name: Validate required secrets
+        env:
+          ACTION_PAT: ${{ secrets.ACTION_PAT }}
+          MOSIP_AWS_PEM: ${{ secrets.MOSIP_AWS_PEM }}
         run: |
           missing=()
-          [[ -z "${{ secrets.ACTION_PAT }}" ]] && missing+=(ACTION_PAT)
-          [[ -z "${{ secrets.MOSIP_AWS_PEM }}" ]] && missing+=(MOSIP_AWS_PEM)
+          [[ -z "${ACTION_PAT:-}" ]] && missing+=(ACTION_PAT)
+          [[ -z "${MOSIP_AWS_PEM:-}" ]] && missing+=(MOSIP_AWS_PEM)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wg-onboard.yml around lines 53 - 57, The "Validate
required secrets" step is directly expanding secrets into the shell script,
which exposes their contents in the generated Bash syntax. Instead, use the
step's env property to pass the secrets as environment variables, then test
those environment variables in the shell script. Specifically, create an env
section that maps ACTION_PAT and MOSIP_AWS_PEM secrets to environment variables,
then modify the conditional checks to test the environment variables (like
checking [[ -z "$ACTION_PAT" ]]) rather than directly expanding the secrets with
the ${{ secrets.* }} syntax.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/wg-onboard.sh:
- Around line 619-627: The `remove_peer_line` function calls
`atomic_replace_file` at line 627, but this function is only defined in the
`REMOTE_ATOMIC_ALLOCATE` here-doc and is not available in the rollback here-doc
which starts a fresh remote shell. Include the definition of the
`atomic_replace_file` function inside the rollback here-doc section so that when
`remove_peer_line` is executed as part of the rollback process, the
`atomic_replace_file` function is already defined and available in that shell
context.
- Around line 224-235: Create a new helper function (e.g., ssh_bash) that wraps
ssh_cmd bash -s and applies remote_quote to each argument before passing them to
the remote shell. This function should take multiple arguments and quote each
one using the existing remote_quote function already used elsewhere in the
codebase. Then replace all three occurrences of the ssh_cmd bash -s -- pattern
(at the locations where variables like ASSIGNED_FILE, CONFIG_DIR, ENV_NAME,
LABEL, and other parameters are passed) with calls to this new helper function,
ensuring all variables are properly quoted to prevent command injection on the
jumpserver.

In @.github/workflows/wg-onboard.yml:
- Around line 64-68: The checkout action disables persist-credentials which
causes authentication issues for private repositories when the workflow later
attempts to pull from the unauthenticated origin remote at line 126 while using
GH_TOKEN only for the push at line 132. Either enable persist-credentials in the
checkout action with uses actions/checkout, or configure an authenticated remote
URL using git remote set-url before the rebase pull operation to ensure both the
pull and push operations at lines 126 and 132 consistently use the authenticated
remote with GH_TOKEN credentials.
- Line 50: The `runs-on: self-hosted` configuration on this job is too
permissive and poses a security risk since the job uses sensitive secrets
(ACTION_PAT and MOSIP_AWS_PEM). Replace the generic `runs-on: self-hosted` with
a dedicated label that restricts execution to a specific trusted Linux runner
owned only by the WireGuard onboarding process. Verify that the intended
self-hosted runner is properly configured with this dedicated label and has the
necessary tools (bash, ssh, git) before merging.

---

Outside diff comments:
In @.github/scripts/wg-onboard.sh:
- Around line 312-363: In the record_assignment() function, both awk command
invocations (one in the if block for "colon" format and one in the else block)
attempt to read from "$file" which may not exist. When the file doesn't exist
and set -e is enabled, the script exits before creating the assignment. Modify
both awk invocations to use /dev/null as the input file when "$file" does not
exist, by checking if the file is present first and passing either "$file" or
"/dev/null" to awk accordingly, so the function can create new assignments even
when the file doesn't initially exist.

---

Nitpick comments:
In @.github/workflows/wg-onboard.yml:
- Around line 53-57: The "Validate required secrets" step is directly expanding
secrets into the shell script, which exposes their contents in the generated
Bash syntax. Instead, use the step's env property to pass the secrets as
environment variables, then test those environment variables in the shell
script. Specifically, create an env section that maps ACTION_PAT and
MOSIP_AWS_PEM secrets to environment variables, then modify the conditional
checks to test the environment variables (like checking [[ -z "$ACTION_PAT" ]])
rather than directly expanding the secrets with the ${{ secrets.* }} syntax.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 89d91e8d-67bf-4442-8107-a5e2e63b8e69

📥 Commits

Reviewing files that changed from the base of the PR and between d4b5894 and 7059f82.

📒 Files selected for processing (2)

• .github/scripts/wg-onboard.sh
• .github/workflows/wg-onboard.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: List self-hosted runners and their labels for this repository.
# Expect: exactly the intended trusted runner has the chosen WireGuard onboarding label.
gh api repos/:owner/:repo/actions/runners \
  --jq '.runners[] | "\(.name)\t\([.labels[].name] | join(","))"'

Repository: mosip/infra

Length of output: 315

---

🏁 Script executed:

# First, let's examine the complete workflow file to understand the job context
cat -n .github/workflows/wg-onboard.yml

Repository: mosip/infra

Length of output: 5973

---

🏁 Script executed:

# Search for any documentation about runners or the wg-onboard runner
find . -type f \( -name "*.md" -o -name "*.txt" -o -name "*.yml" -o -name "*.yaml" \) | xargs grep -l "wg-onboard\|self-hosted.*runner" 2>/dev/null | head -20

Repository: mosip/infra

Length of output: 90

---

🏁 Script executed:

# Look for other workflow files to see if any use similar runner pinning patterns
fd -e yml -e yaml ".github/workflows" --exec grep -l "runs-on:" {} \; | xargs grep -A 1 "runs-on:" | head -50

Repository: mosip/infra

Length of output: 429

---

🏁 Script executed:

fd . '.github/workflows' --type f -e yml -e yaml

Repository: mosip/infra

Length of output: 612

---

🏁 Script executed:

# Check other workflows to see how they use runs-on
fd . '.github/workflows' --type f | xargs grep "runs-on:" 2>/dev/null | head -20

Repository: mosip/infra

Length of output: 1494

---

🏁 Script executed:

# Search for any documentation about runner setup, labels, or infrastructure
rg "runner|self-hosted|label" --type md README.md CONTRIBUTING.md 2>/dev/null || echo "No matches in doc files"

Repository: mosip/infra

Length of output: 79

---

🏁 Script executed:

# Check if there's any infrastructure-as-code or runner config files
find . -maxdepth 3 -type f \( -name "*runner*" -o -name "*infrastructure*" -o -name "*host*" \) 2>/dev/null

Repository: mosip/infra

Length of output: 96

---

🏁 Script executed:

# Check the wg-onboard.sh script to confirm Linux requirements
head -50 .github/scripts/wg-onboard.sh

Repository: mosip/infra

Length of output: 2034

---

🏁 Script executed:

# Search for any infrastructure setup or runner documentation in repo
find . -maxdepth 4 -type f \( -name "*.md" -o -name "*.rst" -o -name "*.txt" \) | xargs grep -l "self-hosted\|runner.*setup\|infrastructure" 2>/dev/null | head -10

Repository: mosip/infra

Length of output: 360

---

🏁 Script executed:

# Check the workflow-specific README and scripts README
cat -n ./.github/workflows/README.md

Repository: mosip/infra

Length of output: 26661

---

🏁 Script executed:

# Also check the scripts README
cat -n ./.github/scripts/README.md

Repository: mosip/infra

Length of output: 9420

---

Pin this job to a dedicated trusted Linux runner.

runs-on: self-hosted can schedule this secret-bearing job (using ACTION_PAT and MOSIP_AWS_PEM secrets) on any repo/org self-hosted runner, including one without bash/ssh/git tooling this workflow requires. Use a dedicated label owned only by the WireGuard onboarding runner.

🔐 Suggested hardening

-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, wg-onboard]

Verify the actual label name before merging—ensure the intended trusted runner has the chosen WireGuard onboarding label by checking the repo's configured self-hosted runners.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wg-onboard.yml at line 50, The `runs-on: self-hosted`
configuration on this job is too permissive and poses a security risk since the
job uses sensitive secrets (ACTION_PAT and MOSIP_AWS_PEM). Replace the generic
`runs-on: self-hosted` with a dedicated label that restricts execution to a
specific trusted Linux runner owned only by the WireGuard onboarding process.
Verify that the intended self-hosted runner is properly configured with this
dedicated label and has the necessary tools (bash, ssh, git) before merging.

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.