ci(next-release): fix github ssh key

[alexandre-abrioux-rf]

Description of the changes

The next-release is broken because it is using an old public key from GitHub

Summary by CodeRabbit

• Chores
  • Updated CI configuration to dynamically fetch and configure GitHub SSH host keys at pipeline runtime instead of relying on a static hard-coded key, ensuring known_hosts is populated reliably, reducing hard-coded secrets, and improving pipeline resilience and security.

[coderabbitai]

Walkthrough

CircleCI config updated: the next-release step now dynamically fetches GitHub SSH keys from the GitHub API (curl + jq), prefixes each key with github.com, and appends them to ~/.ssh/known_hosts instead of adding a single hard-coded RSA key.

Changes

Cohort / File(s)	Change Summary
CircleCI SSH configuration \.circleci/config\.yml	Replaced static echo 'github.com ssh-rsa ...' >> ~/.ssh/known_hosts with `mkdir -p ~/.ssh && curl -sL https://api.github.com/meta | jq -r '.ssh_keys

Sequence Diagram(s)

sequenceDiagram
    participant CI as CircleCI runner
    participant GH as api.github.com
    Note over CI: previous flow (static)
    CI->>CI: mkdir ~/.ssh
    CI->>CI: echo 'github.com ssh-rsa ...' >> ~/.ssh/known_hosts

    Note over CI,GH: new flow (dynamic)
    CI->>GH: GET /meta
    GH-->>CI: JSON { ssh_keys: [...] }
    CI->>CI: jq -r '.ssh_keys | .[]'
    CI->>CI: sed -e 's/^/github.com /'
    CI->>CI: append to ~/.ssh/known_hosts

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single-file CI config change, small command pipeline.
• Items to check:
  • Verify jq is available in the CI environment or install it.
  • Validate network access and error handling if GitHub API is unavailable.
  • Ensure resulting known_hosts entries match required SSH key formats.

Suggested reviewers

• MantisClone
• aimensahnoun
• LeoSlrRf

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description explains why the change is needed (old public key broken) but lacks technical details about the solution and implementation approach.	Expand the description to explain what changed: the solution now dynamically retrieves GitHub SSH keys via their API instead of using a hardcoded static key, and why this approach is better.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci(next-release): fix github ssh key' directly and concisely describes the main change: fixing the SSH key configuration in the CI next-release workflow.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-release-ssh-key

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d8acb8 and cfebd34.

📒 Files selected for processing (1)

• .circleci/config.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alexandre-abrioux-rf]

This public key was deprecated in 2023, see https://github.blog/news-insights/company-news/we-updated-our-rsa-ssh-host-key/

The authorized public keys are listed here: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

I'm not sure why the next-release pipeline was still functioning after 2023, even though the key had been deprecated. I suspect that CircleCI was already prefilling the file /home/circleci/.ssh/known_hosts with the proper GitHub keys, so we didn't need to update our workflow. I also suspect that they stopped prefilling the file today following this incident.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d6aabfa and 7d8acb8.

📒 Files selected for processing (1)

• .circleci/config.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test

[alexandre-abrioux-rf]

Instead of using a static value, we now get the latest values from GitHub's API

[MantisClone]

Nice one! 👍 Sorry for the delay 🙇