fix(scripts): correct known_hosts validation logic

- Updated `check.sh` to verify that the SSH fingerprint exists in the `known_hosts` file using `grep`.
- Adjusted `post_check.sh` to confirm the SSH fingerprint is removed from the `known_hosts` file after the job.
- Added proper cleanup of `SSH_KNOWN_HOSTS_FILE` variable in both scripts for better environment management.

Author: warnyul

.github/workflows/pull_request.yml

@@ -14,12 +14,6 @@ jobs:
     runs-on: ${{ matrix.os }}      
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup SSH key
-        uses: ./
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
-          ssh-known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
-          log-public-key: false
       - name: Check known hosts file
         uses: pyTooling/Actions/with-post-step@9ceefdbf5dceae8c441fc393ed82344c7ca8bbdb # v3.1.1
         env:
@@ -29,6 +23,12 @@ jobs:
             sh check.sh
           post: |
             sh post_check.sh
+      - name: Setup SSH key
+        uses: ./
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+          ssh-known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
+          log-public-key: false
       - name: Install docker (Missing on MacOS)
         if: runner.os == 'macos'
         shell: bash

action.yml

@@ -35,14 +35,6 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
-      with:
-        ssh-private-key: ${{ inputs.ssh-private-key }}
-        ssh-auth-sock: ${{ inputs.ssh-auth-sock }}
-        log-public-key: ${{ inputs.log-public-key }}
-        ssh-agent-cmd: ${{ inputs.ssh-agent-cmd }}
-        ssh-add-cmd: ${{ inputs.ssh-add-cmd }}
-        git-cmd: ${{ inputs.git-cmd }}
     - uses: pyTooling/Actions/with-post-step@9ceefdbf5dceae8c441fc393ed82344c7ca8bbdb # v3.1.1
       env:
         SSH_HOST: ${{ inputs.ssh-host }}
@@ -53,6 +45,14 @@ runs:
           sh "${{ github.action_path }}/action.sh"
         post: |
           sh "${{ github.action_path }}/post_action.sh"
+    - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
+      with:
+        ssh-private-key: ${{ inputs.ssh-private-key }}
+        ssh-auth-sock: ${{ inputs.ssh-auth-sock }}
+        log-public-key: ${{ inputs.log-public-key }}
+        ssh-agent-cmd: ${{ inputs.ssh-agent-cmd }}
+        ssh-add-cmd: ${{ inputs.ssh-add-cmd }}
+        git-cmd: ${{ inputs.git-cmd }}
 branding:
   icon: loader
   color: 'purple'

check.sh

@@ -1,7 +1,11 @@
 #!/usr/bin/env sh
 
-if [ ! -s "${HOME}/.ssh/known_hosts" ]; then
+SSH_KNOWN_HOSTS_FILE="${HOME}/.ssh/known_hosts"
+
+if ! grep -q "${SSH_KNOWN_HOSTS}" "${SSH_KNOWN_HOSTS_FILE}"; then
     echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Assertion Error::\
-~/.ssh/known_hosts is missing or empty."
+${SSH_KNOWN_HOSTS_FILE} file should contain the ssh fingerprint."
     exit 1
-fi
+fi
+
+unset SSH_KNOWN_HOSTS_FILE

post_check.sh

@@ -2,7 +2,7 @@
 
 SSH_KNOWN_HOSTS_FILE="${HOME}/.ssh/known_hosts"
 
-if ! grep -q "${SSH_KNOWN_HOSTS}" "${SSH_KNOWN_HOSTS_FILE}" ; then
+if grep -q "${SSH_KNOWN_HOSTS}" "${SSH_KNOWN_HOSTS_FILE}" ; then
     echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Assertion Error::\
 ${SSH_KNOWN_HOSTS_FILE} file should not contain the ssh fingerprint after the job."
     exit 1