[Fixes: mosip/mosip-infra#1874] Added WireGuard onboarding workflow

[Ivanmeneges]

This workflow automates the onboarding of WireGuard environments by allocating peers and managing GitHub secrets.

Summary by CodeRabbit

• Chores
  • Added a manually-triggered workflow for self-service WireGuard environment onboarding, with dispatch inputs for environment/branch details, jumpserver connection, allowed IPs, and optional ticket text.
  • Introduced safe default dry-run behavior, including SSH private key validation; when confirmed (non–dry-run), it updates the peer allocation tracker and publishes the changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 57a5caf3-dd10-4886-a619-8b3888e0de17

📥 Commits

Reviewing files that changed from the base of the PR and between e972d6e and d62274f.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/wg-onboard.yml

---

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/wg-onboard.yml triggered via workflow_dispatch for self-service WireGuard environment onboarding. It accepts inputs for environment, jumpserver details, SSH secret name, optional ticket, WireGuard directory, allowed IPs, and a DRY_RUN flag. The workflow sets up SSH credentials, runs scripts/wg-onboard.sh, and conditionally commits changes to scripts/wg-peer-allocation.tsv.

Changes

WireGuard Onboarding Workflow

Layer / File(s)	Summary
Workflow trigger and dispatch inputs .github/workflows/wg-onboard.yml	Defines workflow_dispatch with required inputs (environment name, jumpserver host, SSH secret name) and optional inputs (ticket, WireGuard directory, allowed IPs, DRY_RUN boolean defaulting to true).
Job setup and SSH key reconstruction .github/workflows/wg-onboard.yml	Configures a self-hosted runner job, checks out the repo with secrets.PAT_TOKEN, reconstructs the jumpserver private key from a named secret with CR-stripping, sets 600 permissions, and validates the key via ssh-keygen.
Script execution and conditional TSV commit .github/workflows/wg-onboard.yml	Invokes scripts/wg-onboard.sh with derived --ticket and --dry-run flags; when DRY_RUN is false, detects changes to scripts/wg-peer-allocation.tsv, configures git author info, and commits and pushes with a wg: prefixed message.

Sequence Diagram

sequenceDiagram
  participant Dispatcher as workflow_dispatch
  participant Runner as Self-hosted Runner
  participant SSHKey as ~/.ssh/jumpserver_key
  participant Script as scripts/wg-onboard.sh
  participant Repo as Remote Repository

  Dispatcher->>Runner: trigger with inputs
  Runner->>SSHKey: write secret, strip CR, chmod 600
  Runner->>SSHKey: ssh-keygen validate
  Runner->>Script: execute with env/host/path/ticket/dry-run flags
  Script-->>Runner: exit
  Runner->>Repo: commit & push wg-peer-allocation.tsv (if not DRY_RUN)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 A rabbit hops through the WireGuard gate,
SSH keys tucked neatly, permissions set straight,
DRY_RUN by default, so nothing goes wrong,
The TSV gets committed with a wg: song,
Self-hosted runners scurry, the tunnel's in place —
Onboarding peers now at a marvelous pace! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the issue being fixed and clearly describes the main change: adding a WireGuard onboarding workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Ivanmeneges-patch-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Ivanmeneges]

@coderabbitai review.

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

@Ivanmeneges: I'll start the review of the WireGuard onboarding workflow changes right away!

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Around line 66-80: The workflow directly expands workflow dispatch inputs
using `${{ inputs.* }}` syntax within shell commands, creating a command
injection vulnerability if any input contains shell metacharacters. Fix this
across three locations in `.github/workflows/wg-onboard.yml`: (1) At lines 66-80
in the "Run WireGuard onboarding" step, move ENV_NAME, JUMPSERVER_HOST, WG_DIR,
ALLOWED_IPS, TICKET, and DRY_RUN from the script arguments into the env: block,
then reference them as shell variables ($VAR_NAME) in the run: block, and build
the conditional flags (--ticket and --dry-run) using shell logic instead of
GitHub expressions. (2) At lines 53-64, pass the SSH_PRIVATE_KEY secret name via
env: so it can be safely referenced in the error message without direct input
expansion. (3) At lines 82-93, pass ENV_NAME and github.actor via env: for use
in git config and commit message instead of expanding them directly in the run:
block.
- Around line 53-64: The error message on line 62 directly expands the GitHub
Actions template ${{ inputs.SSH_PRIVATE_KEY }} into the shell, creating a
command injection risk if the secret name contains shell metacharacters. Add
`SSH_KEY_NAME: ${{ inputs.SSH_PRIVATE_KEY }}` to the env section at the top of
the step, then in the error message replace the direct template expansion with
the environment variable reference using `$SSH_KEY_NAME` instead of `${{
inputs.SSH_PRIVATE_KEY }}`.
- Around line 82-93: The commit message on line 91 directly expands the
inputs.ENV_NAME template variable without proper quoting, creating a template
injection risk if the input contains special characters or quotes. Additionally,
the git push command on line 92 lacks safeguards for concurrent workflow
execution and may fail if multiple workflows push simultaneously. To fix this,
properly escape or quote the inputs.ENV_NAME variable in the commit message
string to prevent injection attacks, and add error handling or retry logic
around the git push command to gracefully handle potential race conditions when
concurrent workflows attempt to push to the same branch.
- Around line 48-51: The checkout action step in the wg-onboard.yml workflow has
two security vulnerabilities. First, replace the `actions/checkout@v4` tag with
a pinned commit SHA to prevent supply-chain attacks. Second, add
`persist-credentials: false` to the with section to prevent the PAT_TOKEN from
being persisted in git config and potentially leaked by subsequent workflow
steps or artifacts. Both changes should be made to the same Checkout repository
step that currently uses the version tag and accepts the token parameter.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0a53931d-a1c1-4ad8-918e-2e937ab5a4f8

📥 Commits

Reviewing files that changed from the base of the PR and between be1c242 and bbcaa24.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Line 81: The workflow in .github/workflows/wg-onboard.yml references script
files that do not exist in the repository. At line 81, the chmod command
references `.github/workflows/scripts/wg-onboard.sh`, but there is no scripts/
subdirectory under workflows/. Additionally, the workflow references
wg-peer-allocation.tsv which does not exist. The documentation at line 8
indicates the correct location should be `.github/scripts/wg-onboard.sh`. To fix
this, either create the missing wg-onboard.sh and wg-peer-allocation.tsv files
in the correct location (.github/scripts/), or update all workflow references
(including the chmod command at line 81) to use the correct path consistently
with the documented location. Ensure all file paths referenced in the workflow
match actual locations in the repository.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ad0511c4-f465-4bab-bd70-c670c06fb047

📥 Commits

Reviewing files that changed from the base of the PR and between bbcaa24 and e972d6e.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml