deploy_ssh_authorized_keys_with_github.sh

#!/usr/bin/env bash

set -euo pipefail

GITHUB_USERNAME="${GITHUB_USERNAME:-}"
if [ -z "$GITHUB_USERNAME" ]; then
    echo "Error: GITHUB_USERNAME is not set. Please provide it as an environment variable." >&2
    exit 1
fi

AUTHORIZED_KEYS_FILE="${HOME}/.ssh/authorized_keys"
TMP_AUTHORIZED_KEYS_FILE=$(mktemp)
cleanup() {
    rm -f "${TMP_AUTHORIZED_KEYS_FILE}"
}
trap cleanup EXIT INT TERM

if ! curl -fsSL "https://github.com/${GITHUB_USERNAME}.keys" -o "${TMP_AUTHORIZED_KEYS_FILE}"; then
    echo "Failed to fetch keys from GitHub for user: ${GITHUB_USERNAME}" >&2
    exit 1
fi

if diff -q "${AUTHORIZED_KEYS_FILE}" "${TMP_AUTHORIZED_KEYS_FILE}" &>/dev/null; then
    echo "No differences found. Deployment not required."
    exit 0
fi

if [ -s "${TMP_AUTHORIZED_KEYS_FILE}" ]; then
    if ! grep -qE '^ssh-' "${TMP_AUTHORIZED_KEYS_FILE}"; then
        echo "Invalid authorized_keys file format. Aborting." >&2
        exit 1
    fi
else
    echo "Fetched file is empty. Aborting." >&2
    exit 1
fi

echo "Deploying new authorized_keys with the following changes:"
diff -u "${AUTHORIZED_KEYS_FILE}" "${TMP_AUTHORIZED_KEYS_FILE}" || true
cat "${TMP_AUTHORIZED_KEYS_FILE}" >"${AUTHORIZED_KEYS_FILE}"
echo "Deployment completed."