fix: keep SSH known_hosts temp file alive until repository cleanup

The known_hosts temp file was deleted via defer in getSSHClientOptions,
which runs before the SSH connection is established in CloneRepository.
This caused host key verification to fail silently when known_hosts data
was provided.

Move temp file lifecycle management to Repository, which cleans up all
temp files in its Cleanup method alongside the cloned directory.

Author: creydr

internal/git/manager.go

@@ -54,12 +54,14 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 		return nil, fmt.Errorf("failed to create temporary directory: %w", err)
 	}
 
+	clientOpts, tempFile := m.getClientOptions(parsedURL.Scheme, auth)
+
 	repo, err := git.PlainCloneContext(ctx, targetDir, &git.CloneOptions{
 		URL:           repoUrl,
 		ReferenceName: plumbing.ReferenceName(reference),
 		SingleBranch:  true,
 		Depth:         1,
-		ClientOptions: m.getClientOptions(parsedURL.Scheme, auth),
+		ClientOptions: clientOpts,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to clone repo: %w", err)
@@ -70,19 +72,22 @@ func (m *managerImpl) CloneRepository(ctx context.Context, repoUrl, subPath, ref
 		return nil, fmt.Errorf("failed to find head: %w", err)
 	}
 
-	return &Repository{
+	result := &Repository{
 		CloneDir: targetDir,
 		SubPath:  subPath,
 		Commit:   head.Hash().String(),
 		Branch:   reference,
-	}, nil
+	}
+	result.AddTempFile(tempFile)
+
+	return result, nil
 }
 
-func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) []client.Option {
+func (m *managerImpl) getClientOptions(scheme string, authSecret map[string][]byte) ([]client.Option, string) {
 	if scheme == "ssh" {
 		return m.getSSHClientOptions(authSecret)
 	}
-	return m.getHTTPClientOptions(authSecret)
+	return m.getHTTPClientOptions(authSecret), ""
 }
 
 func (m *managerImpl) getHTTPClientOptions(authSecret map[string][]byte) []client.Option {
@@ -125,37 +130,38 @@ func ensureKnownHostsExists() error {
 	return nil
 }
 
-func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) []client.Option {
+func (m *managerImpl) getSSHClientOptions(authSecret map[string][]byte) ([]client.Option, string) {
 	privateKey, hasKey := authSecret["sshPrivateKey"]
 	if !hasKey {
 		return []client.Option{
 			client.WithSSHAuth(&gitssh.Password{
 				User:                  "git",
 				HostKeyCallbackHelper: gitssh.HostKeyCallbackHelper{HostKeyCallback: gossh.InsecureIgnoreHostKey()},
 			}),
-		}
+		}, ""
 	}
 
 	password := string(authSecret["sshPrivateKeyPassword"])
 	auth, err := gitssh.NewPublicKeys("git", privateKey, password)
 	if err != nil {
-		return nil
+		return nil, ""
 	}
 	auth.HostKeyCallback = gossh.InsecureIgnoreHostKey()
 
+	var tempFilePath string
 	if knownHostsData, ok := authSecret["known_hosts"]; ok {
 		tmpFile, err := os.CreateTemp("", "known_hosts-*")
 		if err == nil {
-			defer os.Remove(tmpFile.Name())
 			if _, err := tmpFile.Write(knownHostsData); err == nil {
 				_ = tmpFile.Close()
-				cb, err := gitssh.NewKnownHostsCallback(tmpFile.Name())
+				tempFilePath = tmpFile.Name()
+				cb, err := gitssh.NewKnownHostsCallback(tempFilePath)
 				if err == nil {
 					auth.HostKeyCallback = cb
 				}
 			}
 		}
 	}
 
-	return []client.Option{client.WithSSHAuth(auth)}
+	return []client.Option{client.WithSSHAuth(auth)}, tempFilePath
 }

internal/git/manager_test.go

@@ -20,40 +20,43 @@ JtdGRlLmNzYgECAw==
 func TestGetClientOptions_HTTPToken(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"token": []byte("my-token")}
-	opts := m.getClientOptions("https", secret)
+	opts, tmpFile := m.getClientOptions("https", secret)
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
+	if tmpFile != "" {
+		t.Fatalf("expected no temp file, got %s", tmpFile)
+	}
 }
 
 func TestGetClientOptions_HTTPUsernamePassword(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"username": []byte("user"), "password": []byte("pass")}
-	opts := m.getClientOptions("http", secret)
+	opts, _ := m.getClientOptions("http", secret)
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
 }
 
 func TestGetClientOptions_HTTPEmpty(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions("https", nil)
+	opts, _ := m.getClientOptions("https", nil)
 	if opts != nil {
 		t.Fatalf("expected nil options, got %v", opts)
 	}
 }
 
 func TestGetClientOptions_SSHNoSecret(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions(sshScheme, nil)
+	opts, _ := m.getClientOptions(sshScheme, nil)
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option for insecure SSH, got %d", len(opts))
 	}
 }
 
 func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 	m := &managerImpl{}
-	opts := m.getClientOptions(sshScheme, map[string][]byte{})
+	opts, _ := m.getClientOptions(sshScheme, map[string][]byte{})
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option for insecure SSH, got %d", len(opts))
 	}
@@ -62,7 +65,7 @@ func TestGetClientOptions_SSHEmptySecret(t *testing.T) {
 func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte(testEd25519PrivateKey)}
-	opts := m.getClientOptions(sshScheme, secret)
+	opts, _ := m.getClientOptions(sshScheme, secret)
 	if len(opts) != 1 {
 		t.Fatalf("expected 1 option, got %d", len(opts))
 	}
@@ -71,7 +74,7 @@ func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 func TestGetClientOptions_SSHWithInvalidKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte("not-a-valid-key")}
-	opts := m.getClientOptions(sshScheme, secret)
+	opts, _ := m.getClientOptions(sshScheme, secret)
 	if opts != nil {
 		t.Fatalf("expected nil options for invalid key, got %v", opts)
 	}

internal/git/repository.go

@@ -6,16 +6,26 @@ import (
 )
 
 type Repository struct {
-	CloneDir string
-	SubPath  string
-	Commit   string
-	Branch   string
+	CloneDir  string
+	SubPath   string
+	Commit    string
+	Branch    string
+	tempFiles []string
+}
+
+func (r *Repository) AddTempFile(path string) {
+	if path != "" {
+		r.tempFiles = append(r.tempFiles, path)
+	}
 }
 
 func (r *Repository) Path() string {
 	return path.Join(r.CloneDir, r.SubPath)
 }
 
 func (r *Repository) Cleanup() error {
+	for _, f := range r.tempFiles {
+		os.Remove(f)
+	}
 	return os.RemoveAll(r.CloneDir)
 }