openbitdo/process/aur_publish_troubleshooting.md

AUR Publish SSH Troubleshooting

This runbook focuses on resolving AUR publish failures such as Permission denied (publickey) in release workflows.

Preconditions

• AUR_USERNAME secret exists.
• AUR_SSH_PRIVATE_KEY secret exists and contains the full private key block.
• Runner can reach aur.archlinux.org:22.

1) Key format and permissions checks

Run on a secure local shell before updating secrets:

mkdir -p /tmp/aur-debug && cd /tmp/aur-debug
cat > aur_key <<'KEY'
<PASTE_PRIVATE_KEY>
KEY
chmod 600 aur_key
ssh-keygen -y -f aur_key >/tmp/aur_key.pub

Expected:

• ssh-keygen -y succeeds.
• no passphrase prompt for CI use.

2) Known hosts and host verification

mkdir -p ~/.ssh && chmod 700 ~/.ssh
ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts

Expected:

• aur.archlinux.org host key is present in known_hosts.

3) SSH dry-run authentication

ssh -i /tmp/aur-debug/aur_key \
  -o IdentitiesOnly=yes \
  -o StrictHostKeyChecking=yes \
  ${AUR_USERNAME}@aur.archlinux.org

Expected success signature:

• authentication accepted (AUR may close session after auth; that still proves key acceptance).

Expected failure signatures:

• Permission denied (publickey) means wrong key/user pairing.
• Host key verification failed means known_hosts mismatch/missing.

4) Repo-level publish dry run

For package repo:

git ls-remote ssh://${AUR_USERNAME}@aur.archlinux.org/openbitdo-bin.git

Expected:

• command returns refs without auth failures.

5) CI secret update checklist

• Store private key in AUR_SSH_PRIVATE_KEY exactly as multiline PEM/OpenSSH block.
• Store account name in AUR_USERNAME.
• Re-run release workflow preflight job.

6) Post-fix validation

• Confirm release preflight no longer fails on SSH auth.
• Confirm publish-aur job pushes openbitdo-bin metadata repo.