fix: propagate errors from known_hosts setup instead of silently ignoring them

When a user provides known_hosts data in the auth secret, errors during
temp file creation, writing, or callback setup were silently swallowed,
causing silent fallback to no host key verification. Now these errors
are returned so the operator knows when known_hosts setup fails.

Author: creydr

internal/git/manager.go

@@ -160,16 +160,22 @@ func (m *managerImpl) getSSHClientOptions(ctx context.Context, authSecret map[st
 	var tempFilePath string
 	if knownHostsData, ok := authSecret["known_hosts"]; ok {
 		tmpFile, err := os.CreateTemp("", "known_hosts-*")
-		if err == nil {
-			if _, err := tmpFile.Write(knownHostsData); err == nil {
-				_ = tmpFile.Close()
-				tempFilePath = tmpFile.Name()
-				cb, err := gitssh.NewKnownHostsCallback(tempFilePath)
-				if err == nil {
-					auth.HostKeyCallback = cb
-				}
-			}
+		if err != nil {
+			return nil, "", fmt.Errorf("failed to create known_hosts temp file: %w", err)
+		}
+		if _, err := tmpFile.Write(knownHostsData); err != nil {
+			_ = tmpFile.Close()
+			_ = os.Remove(tmpFile.Name())
+			return nil, "", fmt.Errorf("failed to write known_hosts temp file: %w", err)
+		}
+		_ = tmpFile.Close()
+		tempFilePath = tmpFile.Name()
+		cb, err := gitssh.NewKnownHostsCallback(tempFilePath)
+		if err != nil {
+			_ = os.Remove(tempFilePath)
+			return nil, "", fmt.Errorf("failed to configure known_hosts callback: %w", err)
 		}
+		auth.HostKeyCallback = cb
 	} else {
 		logger.Info("SSH host key verification is disabled, provide known_hosts in auth secret to enable verification")
 		auth.HostKeyCallback = gossh.InsecureIgnoreHostKey()

internal/git/manager_test.go

@@ -2,6 +2,7 @@ package git
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/go-git/go-git/v6/plumbing/transport"
@@ -90,6 +91,25 @@ func TestGetClientOptions_SSHWithPrivateKey(t *testing.T) {
 	}
 }
 
+func TestGetClientOptions_SSHWithPrivateKeyAndKnownHosts(t *testing.T) {
+	m := &managerImpl{}
+	secret := map[string][]byte{
+		"sshPrivateKey": []byte(testEd25519PrivateKey),
+		"known_hosts":   []byte("github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n"),
+	}
+	opts, tmpFile, err := m.getClientOptions(context.Background(), sshScheme, secret)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(opts) != 1 {
+		t.Fatalf("expected 1 option, got %d", len(opts))
+	}
+	if tmpFile == "" {
+		t.Fatal("expected temp known_hosts file path, got empty string")
+	}
+	defer os.Remove(tmpFile)
+}
+
 func TestGetClientOptions_SSHWithInvalidKey(t *testing.T) {
 	m := &managerImpl{}
 	secret := map[string][]byte{"sshPrivateKey": []byte("not-a-valid-key")}