From 2788d7aa8215b359a412165e6438e8c261591b5d Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 11:02:18 +0100
Subject: [PATCH] fix(ci): bind forge SSH key to SSH_PRIVATE_KEY env so mirror
 guards work
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mirror.yml guarded each forge's ssh-agent step with
`if: ${{ env.SSH_PRIVATE_KEY != '' }}` but SSH_PRIVATE_KEY was never defined
(no env: block, no $GITHUB_ENV write) — so the guard was permanently false,
ssh-agent never loaded, and every enabled mirror push ran keyless and failed
silently. Binds each job's real secret (secrets.<FORGE>_SSH_KEY) to a job-level
SSH_PRIVATE_KEY env so the existing guard evaluates correctly per forge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/mirror.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 9db8544..6efb50d 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.GITLAB_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.GITLAB_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -29,6 +31,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.BITBUCKET_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.BITBUCKET_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -46,6 +50,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.CODEBERG_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.CODEBERG_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -63,6 +69,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.SOURCEHUT_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.SOURCEHUT_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -80,6 +88,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.DISROOT_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.DISROOT_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -97,6 +107,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: vars.GITEA_MIRROR_ENABLED == 'true'
+    env:
+      SSH_PRIVATE_KEY: ${{ secrets.GITEA_SSH_KEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: