From a398791a27d0fe8fcd2ed210ca557b137dd1047f Mon Sep 17 00:00:00 2001
From: Andreas Olsson <andreas@arrakis.se>
Date: Fri, 29 Mar 2024 12:57:01 +0100
Subject: [PATCH] WIP: more variables

---
 vault_oidc_ssh_cert_action.py | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/vault_oidc_ssh_cert_action.py b/vault_oidc_ssh_cert_action.py
index 946306e..6bd7d05 100644
--- a/vault_oidc_ssh_cert_action.py
+++ b/vault_oidc_ssh_cert_action.py
@@ -74,30 +74,36 @@ def generate_and_sign() -> None:
     vault_server = os.environ["VAULT_SERVER"].strip()
     vault_token = os.environ["VAULT_TOKEN"].strip()
 
+    key_fname = "id_github"
+    pub_fname = f"{key_fname}.pub"
+    cert_fname = f"{key_fname}-cert.pub"
+
     outdir = tempfile.mkdtemp(prefix="ssh-cert-")
-    out_key = os.path.join(outdir, "id_github")
-    out_cert = os.path.join(outdir, "id_github-cert.pub")
+    out_key_path = os.path.join(outdir, key_fname)
+    out_cert_path = os.path.join(outdir, cert_fname)
 
     with tempfile.TemporaryDirectory(prefix="ssh-keygen-") as workdir:
-        os.chdir(workdir)
+        work_key_path = os.path.join(workdir, key_fname)
+        work_pub_path = os.path.join(workdir, pub_fname)
+        work_cert_path = os.path.join(workdir, cert_fname)
 
         subprocess.run(
-            ["ssh-keygen", "-q", "-t", "ed25519", "-N", "''", "-f", "./id_github"],
+            ["ssh-keygen", "-q", "-t", "ed25519", "-N", "''", "-f", work_key_path],
             check=True,
         )
 
-        with open("./id_github.pub", mode="r", encoding="utf-8") as pubkf:
+        with open(work_pub_path, mode="r", encoding="utf-8") as pubkf:
             pubkey = pubkf.read()
 
         ssh_cert: str = _issue_ssh_cert(
             vault_server, vault_token, ssh_backend, ssh_role, pubkey
         )
-        with open("./id_github-cert.pub", mode="w", encoding="utf-8") as certf:
+        with open(work_cert_path, mode="w", encoding="utf-8") as certf:
             certf.write(ssh_cert)
 
-        os.rename("./id_github", out_key)
-        os.rename("./id_github-cert.pub", out_cert)
+        os.rename(work_key_path, out_key_path)
+        os.rename(work_cert_path, out_cert_path)
 
     with open(os.environ["GITHUB_OUTPUT"], mode="a", encoding="utf-8") as ghof:
-        ghof.write(f"cert_path={out_cert}\n")
-        ghof.write(f"key_path={out_key}\n")
+        ghof.write(f"cert_path={out_cert_path}\n")
+        ghof.write(f"key_path={out_key_path}\n")