post_push.yml: Write the SSH key more securely

Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
author: Takashi Kokubun <takashikkbn@gmail.com> 2025-10-08 13:10:49 -0700
committer: Takashi Kokubun <takashikkbn@gmail.com> 2025-10-08 13:11:54 -0700
commit: 501dd27eb249fa3b1546893ecaec033f1ce69fd4 (patch)
tree: 736fd15c5ce8c0090baeae18c164db5ffaced4dc
parent: 77b019f656b33d8f8af359522d421d66cf4625ee (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/.github/workflows/post_push.yml b/.github/workflows/post_push.yml
index 32d74f644e..317aad2e42 100644
--- a/.github/workflows/post_push.yml
+++ b/.github/workflows/post_push.yml
@@ -13,8 +13,7 @@ jobs:
       - name: Sync git.ruby-lang.org
         run: |
           mkdir -p ~/.ssh
-          echo "$RUBY_GIT_SYNC_PRIVATE_KEY" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          (umask 066; printenv RUBY_GIT_SYNC_PRIVATE_KEY > ~/.ssh/id_ed25519)
           ssh-keyscan -t ed25519 git.ruby-lang.org >> ~/.ssh/known_hosts
           ssh -i ~/.ssh/id_ed25519 git-sync@git.ruby-lang.org "sudo -u git /home/git/git.ruby-lang.org/bin/update-ruby.sh $GITHUB_REF"
         env:
author	Takashi Kokubun <takashikkbn@gmail.com>	2025-10-08 13:10:49 -0700
committer	Takashi Kokubun <takashikkbn@gmail.com>	2025-10-08 13:11:54 -0700
commit	501dd27eb249fa3b1546893ecaec033f1ce69fd4 (patch)
tree	736fd15c5ce8c0090baeae18c164db5ffaced4dc
parent	77b019f656b33d8f8af359522d421d66cf4625ee (diff)