feat(auth): migrate git auth from SSH to HTTPS + token

RHCLOUD-47113
Replace SSH key authentication with HTTPS credential helpers for
both GitHub (gh auth setup-git) and GitLab (custom credential script).
Parameterize all identity values (username, email) as env vars with
no hardcoded defaults. Remove openssh-clients from container image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Hyperkid123

Dockerfile

@@ -10,7 +10,6 @@ FROM registry.access.redhat.com/ubi9/ubi:latest
 RUN dnf install -y --nodocs --allowerasing \
     python3.12 python3.12-pip python3.12-devel \
     git \
-    openssh-clients \
     curl \
     jq \
     socat \
@@ -158,19 +157,9 @@ RUN mkdir -p /home/botuser/.config/containers /home/botuser/.local/share/contain
     && echo -e '[registries.search]\nregistries = ["registry.access.redhat.com", "quay.io", "docker.io"]' \
        > /home/botuser/.config/containers/registries.conf
 
-# SSH directory — config is generated at runtime by entrypoint.sh
-RUN mkdir -p /home/botuser/.ssh && chmod 700 /home/botuser/.ssh
-ENV GIT_SSH_COMMAND="ssh -F /home/botuser/.ssh/config"
 
-# Pre-add known host keys so first connection doesn't warn
-RUN ssh-keyscan -t ed25519,rsa,ecdsa github.com >> /home/botuser/.ssh/known_hosts 2>/dev/null \
-    && ssh-keyscan -t ed25519,rsa,ecdsa gitlab.cee.redhat.com >> /home/botuser/.ssh/known_hosts 2>/dev/null; \
-    chmod 600 /home/botuser/.ssh/known_hosts
-
-# Git config
-RUN git config --global user.name "platex-rehor-bot" \
-    && git config --global user.email "platform-experience-services@redhat.com" \
-    && git config --global http.https://gitlab.cee.redhat.com.sslVerify false \
+# Git config (identity is set at runtime via GIT_USER_NAME/GIT_USER_EMAIL env vars)
+RUN git config --global http.https://gitlab.cee.redhat.com.sslVerify false \
     && git config --global gpg.format openpgp \
     && git config --global commit.gpgsign true
 

bot/config.py

@@ -83,13 +83,8 @@ def _resolve_env_vars(obj):
     "GH_TOKEN",
     "GITHUB_TOKEN",
     "GITLAB_TOKEN",
-    "SSH_PRIVATE_KEY_B64",
     "GPG_PRIVATE_KEY_B64",
     "GOOGLE_SA_KEY_B64",
-    "BOT_SSH_KEY",
-    "GITLAB_SSH_KEY",
-    "GITLAB_SSH_KEY_B64",
-    "GITLAB_SSH_PASSPHRASE",
     "GPG_SIGNING_KEY",
     "SSO_USERNAME",
     "SSO_PASSWORD",

bot/run.py

@@ -29,53 +29,6 @@ def _resolve_path(p: str) -> str:
     return str(path.resolve())
 
 
-def setup_ssh(script_dir: Path) -> None:
-    """Generate SSH config from env vars and set GIT_SSH_COMMAND.
-
-    Reads BOT_SSH_KEY (for github.com) and GITLAB_SSH_KEY (for gitlab)
-    from the environment. Skips if neither is set.
-    """
-    bot_key = os.environ.get("BOT_SSH_KEY")
-    gitlab_key = os.environ.get("GITLAB_SSH_KEY")
-
-    if not bot_key and not gitlab_key:
-        # No keys configured — check if there's an existing SSH config
-        # in the project dir (e.g. committed to the repo) and use it.
-        fallback = ssh_dir / "config" if (ssh_dir := script_dir / ".ssh").exists() else None
-        if fallback and fallback.exists():
-            os.environ["GIT_SSH_COMMAND"] = f"ssh -F {fallback}"
-        return
-
-    ssh_dir = script_dir / ".ssh"
-    ssh_dir.mkdir(exist_ok=True)
-    config_path = ssh_dir / "config"
-
-    lines = ["# Auto-generated by bot/run.py — do not edit manually"]
-
-    if bot_key:
-        lines += [
-            "",
-            "Host github.com-bot",
-            "  HostName github.com",
-            "  User git",
-            f"  IdentityFile {_resolve_path(bot_key)}",
-            "  IdentitiesOnly yes",
-            "  StrictHostKeyChecking accept-new",
-        ]
-
-    if gitlab_key:
-        lines += [
-            "",
-            "Host gitlab.cee.redhat.com",
-            f"  IdentityFile {_resolve_path(gitlab_key)}",
-            "  IdentitiesOnly yes",
-            "  StrictHostKeyChecking accept-new",
-        ]
-
-    config_path.write_text("\n".join(lines) + "\n")
-    config_path.chmod(0o600)
-    os.environ["GIT_SSH_COMMAND"] = f"ssh -F {config_path}"
-
 
 def setup_git(script_dir: Path) -> None:
     """Generate a .gitconfig with identity and optional GPG signing.
@@ -142,8 +95,7 @@ def main() -> None:
     if gac and not os.path.isabs(gac):
         os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = str(SCRIPT_DIR / gac)
 
-    # Set up SSH and git identity from env vars (no-op if not configured)
-    setup_ssh(SCRIPT_DIR)
+    # Set up git identity from env vars (no-op if not configured)
     setup_git(SCRIPT_DIR)
 
     parser = argparse.ArgumentParser(description="Dev bot agent loop")

deploy/template.yaml

@@ -21,6 +21,14 @@ parameters:
   value: hcc-ai-bot
 - name: BOT_REPLICAS
   value: "1"
+- name: GIT_USER_NAME
+  required: true
+- name: GIT_USER_EMAIL
+  required: true
+- name: GH_USERNAME
+  required: true
+- name: GITLAB_USERNAME
+  required: true
 objects:
 
 # ============================================================================
@@ -257,7 +265,16 @@ objects:
             value: "60"
           - name: GOOGLE_APPLICATION_CREDENTIALS
             value: /home/botuser/sa-key.json
-          # Proxy — PROXY_HOST for SSH config, HTTP(S)_PROXY for HTTP clients
+          # Git identity
+          - name: GIT_USER_NAME
+            value: ${GIT_USER_NAME}
+          - name: GIT_USER_EMAIL
+            value: ${GIT_USER_EMAIL}
+          - name: GH_USERNAME
+            value: ${GH_USERNAME}
+          - name: GITLAB_USERNAME
+            value: ${GITLAB_USERNAME}
+          # Proxy — HTTP(S)_PROXY for git and HTTP clients
           - name: PROXY_HOST
             value: devbot-proxy
           - name: HTTP_PROXY
@@ -273,11 +290,6 @@ objects:
           - name: no_proxy
             value: devbot-memory-server,localhost,127.0.0.1
           # Secrets from Vault (devbot-secrets)
-          - name: SSH_PRIVATE_KEY_B64
-            valueFrom:
-              secretKeyRef:
-                name: devbot-secrets
-                key: gh-bot-private-key
           - name: GPG_PRIVATE_KEY_B64
             valueFrom:
               secretKeyRef:
@@ -288,6 +300,11 @@ objects:
               secretKeyRef:
                 name: devbot-secrets
                 key: gh-bot-cli-token
+          - name: GITLAB_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: devbot-secrets
+                key: gl-bot-cli-token
           - name: GOOGLE_SA_KEY_B64
             valueFrom:
               secretKeyRef:

docker-compose.yml

@@ -65,11 +65,13 @@ services:
     env_file:
       - .env
     environment:
-      - SSH_PRIVATE_KEY_B64
-      - GITLAB_SSH_KEY_B64
       - GPG_PRIVATE_KEY_B64
       - GH_TOKEN
       - GITLAB_TOKEN
+      - GH_USERNAME
+      - GITLAB_USERNAME
+      - GIT_USER_NAME
+      - GIT_USER_EMAIL
       - GOOGLE_SA_KEY_B64
       - SSO_USERNAME
       - SSO_PASSWORD

entrypoint.sh

@@ -27,38 +27,19 @@ decode_or_raw() {
     esac
 }
 
-# Decode SSH keys (separate keys for GitHub and GitLab)
-if [ -n "${SSH_PRIVATE_KEY_B64:-}" ]; then
-    decode_or_raw "$SSH_PRIVATE_KEY_B64" > ~/.ssh/id_gh
-    chmod 600 ~/.ssh/id_gh
-    unset SSH_PRIVATE_KEY_B64
-fi
-
-if [ -n "${GITLAB_SSH_KEY_B64:-}" ]; then
-    decode_or_raw "$GITLAB_SSH_KEY_B64" > ~/.ssh/id_gl
-    chmod 600 ~/.ssh/id_gl
-    unset GITLAB_SSH_KEY_B64
+# Git credential helpers for HTTPS auth (replaces SSH keys)
+# GitHub: gh CLI acts as credential helper
+# GitLab: custom helper script injects token
+if [ -n "${GITLAB_TOKEN:-}" ]; then
+    cat > /home/botuser/.git-credential-gitlab <<CREDEOF
+#!/bin/bash
+echo "username=${GITLAB_USERNAME}"
+echo "password=${GITLAB_TOKEN}"
+CREDEOF
+    chmod 700 /home/botuser/.git-credential-gitlab
+    git config --global credential.https://gitlab.cee.redhat.com.helper "/home/botuser/.git-credential-gitlab"
 fi
 
-# Generate SSH config — PROXY_HOST defaults to "proxy" (matches docker-compose service name)
-PROXY_HOST="${PROXY_HOST:-proxy}"
-cat > ~/.ssh/config <<SSHEOF
-Host github.com
-  HostName github.com
-  User git
-  IdentityFile /home/botuser/.ssh/id_gh
-  IdentitiesOnly yes
-  StrictHostKeyChecking accept-new
-  ProxyCommand socat - PROXY:${PROXY_HOST}:%h:%p,proxyport=3128
-
-Host gitlab.cee.redhat.com
-  IdentityFile /home/botuser/.ssh/id_gl
-  IdentitiesOnly yes
-  StrictHostKeyChecking accept-new
-  ProxyCommand socat - PROXY:${PROXY_HOST}:%h:%p,proxyport=3128
-SSHEOF
-chmod 600 ~/.ssh/config
-
 # Write SSO credentials file for stage auth (chrome-devtools)
 if [ -n "${SSO_USERNAME:-}" ] && [ -n "${SSO_PASSWORD:-}" ]; then
     cat > /home/botuser/app/.credentials <<EOF
@@ -68,6 +49,10 @@ EOF
     unset SSO_USERNAME SSO_PASSWORD
 fi
 
+# Git identity from env vars
+git config --global user.name "${GIT_USER_NAME}"
+git config --global user.email "${GIT_USER_EMAIL}"
+
 # Import GPG key for commit signing
 if [ -n "${GPG_PRIVATE_KEY_B64:-}" ]; then
     gpg --batch --import <(decode_or_raw "$GPG_PRIVATE_KEY_B64") 2>/dev/null
@@ -83,14 +68,15 @@ fi
 # Point MCP config to the memory server
 sed -i "s|http://localhost:8080/mcp|${BOT_MEMORY_URL}|" .mcp.json
 
-# Configure gh CLI auth
+# Configure gh CLI auth (HTTPS + credential helper for git)
 mkdir -p ~/.config/gh
 cat > ~/.config/gh/hosts.yml <<EOF
 github.com:
     oauth_token: ${GH_TOKEN}
-    user: platex-rehor-bot
-    git_protocol: ssh
+    user: ${GH_USERNAME}
+    git_protocol: https
 EOF
+gh auth setup-git 2>/dev/null || true
 
 # Remove token from env — gh uses the config file from now on
 unset GH_TOKEN
@@ -99,7 +85,7 @@ unset GH_TOKEN
 if [ -n "${GITLAB_TOKEN:-}" ]; then
     mkdir -p ~/.config/glab-cli
     cat > ~/.config/glab-cli/config.yml <<EOF
-git_protocol: ssh
+git_protocol: https
 check_update: false
 no_prompt: true
 host: gitlab.cee.redhat.com
@@ -108,7 +94,7 @@ hosts:
         token: ${GITLAB_TOKEN}
         api_protocol: https
         api_host: gitlab.cee.redhat.com
-        git_protocol: ssh
+        git_protocol: https
         skip_tls_verify: true
 EOF
     chmod 600 ~/.config/glab-cli/config.yml
@@ -162,5 +148,5 @@ CHROME_BIN=$(find "$PLAYWRIGHT_BROWSERS_PATH" -name chrome -type f | head -1)
 # Wait for Chromium to be ready
 until curl -s http://127.0.0.1:9222/json/version > /dev/null 2>&1; do sleep 1; done
 
-echo "Keys loaded. Chromium started. Starting bot with label: ${BOT_LABEL}"
+echo "Credentials configured. Chromium started. Starting bot with label: ${BOT_LABEL}"
 exec uv run dev-bot --label "$BOT_LABEL"