Open
Description
Description
When a user pushes code via the Git Proxy, they authenticate with their SSH key, which is also required for the final push to the remote repository (e.g., GitHub/GitLab). Currently, after approval, the user must manually re-authenticate. To automate this, the proxy must securely retain the user's SSH key during approval and reuse it for the final push—without exposing it or requiring user re-entry.
Key Requirements
1. Key Reuse for Push
- Once approved, the proxy uses the same key to push to the remote repo
- Immediately wipe the key after push (success or failure)
2. Security Constraints
- No long-term storage: Keys are discarded if:
- Approval is rejected
- Approval timeout (e.g., 24 hours) is reached
- Isolation: Keys are never accessible to other users/processes
3. Audit Trail
- Log key usage:
[PROXY] Push executed with key for user:X, request:Y, approved-by:Z
Task
- Add privateKey field to Action model
- Update database schema to store private key
- Implement private key capture from push operation
- Add basic validation for private key format
- Acceptance Criteria:
- System can capture private key from push operation
- Private key is stored with the action
- Basic validation ensures key is in correct format
- Database can persist the key
Metadata
Metadata
Assignees
Labels
No labels