Replace checkout action with manual SSH clone

- Bypass SSSD KnownHostsCommand by using custom SSH config
- Set KnownHostsCommand none in SSH config
- Use GIT_SSH_COMMAND with explicit config file
- Manual git clone with --recurse-submodules

.gitea/workflows/build.yml

@@ -28,21 +28,36 @@ jobs:
           fi
           node --version
 
-      - name: Get Gitea SSH host key
-        id: ssh-host-key
+      - name: Setup SSH and checkout
         shell: bash
+        env:
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
         run: |
-          HOST_KEY=$(ssh-keyscan -t ed25519,rsa,ecdsa gitea.kindred.internal 2>/dev/null | head -1)
-          echo "host-key=$HOST_KEY" >> $GITHUB_OUTPUT
+          # Setup SSH key
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
 
-      - name: Checkout repository
-        uses: https://code.forgejo.org/actions/checkout@v4
-        with:
-          submodules: recursive
-          fetch-depth: 0
-          ssh-key: ${{ secrets.DEPLOY_KEY }}
-          ssh-known-hosts: ${{ steps.ssh-host-key.outputs.host-key }}
-          ssh-strict: false
+          # Get host key and add to known_hosts
+          ssh-keyscan -t ed25519,rsa,ecdsa gitea.kindred.internal >> ~/.ssh/known_hosts 2>/dev/null
+          chmod 600 ~/.ssh/known_hosts
+
+          # Configure SSH to bypass SSSD KnownHostsCommand
+          cat > ~/.ssh/config << 'EOF'
+          Host gitea.kindred.internal
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking no
+            UserKnownHostsFile ~/.ssh/known_hosts
+            KnownHostsCommand none
+          EOF
+          chmod 600 ~/.ssh/config
+
+          # Set GIT_SSH_COMMAND to use our config
+          export GIT_SSH_COMMAND="ssh -F ~/.ssh/config"
+
+          # Clone repository
+          git clone --recurse-submodules git@gitea.kindred.internal:kindred/create-0070.git .
+          git fetch --tags
 
       - name: Install pixi if needed
         shell: bash

.gitea/workflows/release.yml

@@ -36,22 +36,36 @@ jobs:
           fi
           node --version
 
-      - name: Get Gitea SSH host key
-        id: ssh-host-key
+      - name: Setup SSH and checkout
         shell: bash
+        env:
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
         run: |
-          HOST_KEY=$(ssh-keyscan -t ed25519,rsa,ecdsa gitea.kindred.internal 2>/dev/null | head -1)
-          echo "host-key=$HOST_KEY" >> $GITHUB_OUTPUT
+          # Setup SSH key
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
 
-      - name: Checkout repository
-        uses: https://code.forgejo.org/actions/checkout@v4
-        with:
-          submodules: recursive
-          fetch-depth: 0
-          fetch-tags: true
-          ssh-key: ${{ secrets.DEPLOY_KEY }}
-          ssh-known-hosts: ${{ steps.ssh-host-key.outputs.host-key }}
-          ssh-strict: false
+          # Get host key and add to known_hosts
+          ssh-keyscan -t ed25519,rsa,ecdsa gitea.kindred.internal >> ~/.ssh/known_hosts 2>/dev/null
+          chmod 600 ~/.ssh/known_hosts
+
+          # Configure SSH to bypass SSSD KnownHostsCommand
+          cat > ~/.ssh/config << 'EOF'
+          Host gitea.kindred.internal
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking no
+            UserKnownHostsFile ~/.ssh/known_hosts
+            KnownHostsCommand none
+          EOF
+          chmod 600 ~/.ssh/config
+
+          # Set GIT_SSH_COMMAND to use our config
+          export GIT_SSH_COMMAND="ssh -F ~/.ssh/config"
+
+          # Clone repository
+          git clone --recurse-submodules git@gitea.kindred.internal:kindred/create-0070.git .
+          git fetch --tags
 
       - name: Install pixi if needed
         shell: bash