From 4bbc276618533d19e36719d23dfa5a57a5ea7c13 Mon Sep 17 00:00:00 2001
From: Ebtasam Faridy <ebtasam.faridy@harness.io>
Date: Wed, 18 Mar 2026 14:16:45 +0530
Subject: [PATCH 1/2] fix: [CI-19914] Forward fix 1: adding fallback for FIPS
 solution

---
 posix/clone | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/posix/clone b/posix/clone
index 331e989..8a18f30 100755
--- a/posix/clone
+++ b/posix/clone
@@ -58,8 +58,24 @@ if [ ! -z "${DRONE_SSH_KEY}" ]; then
 		ssh-keygen -p -f ${HOME}/.ssh/id_rsa -P ${DRONE_SSH_PASSPHRASE} -N ""
 	fi
 
-	ssh-keyscan -H ${SSH_PORT_FLAG} ${SSH_KEYSCAN_TIMEOUT_FLAG} ${DRONE_NETRC_MACHINE} > ${HOME}/.ssh/known_hosts 2> /dev/null
-	export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
+	KEYSCAN_ERR_FILE="${HOME}/.ssh/ssh-keyscan.err"
+	: > "${KEYSCAN_ERR_FILE}"
+
+	set +e
+	ssh-keyscan -H ${SSH_PORT_FLAG} ${SSH_KEYSCAN_TIMEOUT_FLAG} ${DRONE_NETRC_MACHINE} > ${HOME}/.ssh/known_hosts 2> "${KEYSCAN_ERR_FILE}"
+	SSH_KEYSCAN_EXIT=$?
+	set -e
+
+	if [ "${SSH_KEYSCAN_EXIT}" -eq 0 ]; then
+		export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
+	elif grep -Eiq "not allowed in FIPS mode|kex.*\(no match\)|kex_gen_client" "${KEYSCAN_ERR_FILE}"; then
+		echo "[SSH-DIAG] ssh-keyscan failed with FIPS/KEX negotiation restriction; using controlled SSH fallback" >&2
+		export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new -o KexAlgorithms=ecdh-sha2-nistp256,diffie-hellman-group14-sha256 -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 -o PubkeyAcceptedAlgorithms=+rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
+	else
+		echo "[SSH-DIAG] ssh-keyscan failed with non-FIPS/KEX error; exiting safely" >&2
+		head -n 20 "${KEYSCAN_ERR_FILE}" >&2 || true
+		exit "${SSH_KEYSCAN_EXIT}"
+	fi
 fi
 
 # AWS codecommit support using AWS access key & secret key

From c988927a10a6b8af18debb2f675e0860f194e6ca Mon Sep 17 00:00:00 2001
From: Ebtasam Faridy <ebtasam.faridy@harness.io>
Date: Tue, 24 Mar 2026 17:41:49 +0530
Subject: [PATCH 2/2] fix: [CI-19914] Forward fix final: adding strict 
 FIPS-safe algo first

---
 posix/clone | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/posix/clone b/posix/clone
index 8a18f30..e94bafc 100755
--- a/posix/clone
+++ b/posix/clone
@@ -68,13 +68,9 @@ if [ ! -z "${DRONE_SSH_KEY}" ]; then
 
 	if [ "${SSH_KEYSCAN_EXIT}" -eq 0 ]; then
 		export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
-	elif grep -Eiq "not allowed in FIPS mode|kex.*\(no match\)|kex_gen_client" "${KEYSCAN_ERR_FILE}"; then
-		echo "[SSH-DIAG] ssh-keyscan failed with FIPS/KEX negotiation restriction; using controlled SSH fallback" >&2
-		export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new -o KexAlgorithms=ecdh-sha2-nistp256,diffie-hellman-group14-sha256 -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 -o PubkeyAcceptedAlgorithms=+rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
 	else
-		echo "[SSH-DIAG] ssh-keyscan failed with non-FIPS/KEX error; exiting safely" >&2
-		head -n 20 "${KEYSCAN_ERR_FILE}" >&2 || true
-		exit "${SSH_KEYSCAN_EXIT}"
+		echo "[SSH-DIAG] default ssh-keyscan setup failed; using fallback SSH command" >&2
+		export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new -o KexAlgorithms=ecdh-sha2-nistp256,diffie-hellman-group14-sha256 -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -i ${HOME}/.ssh/id_rsa ${SSH_PORT_FLAG} -F /dev/null"
 	fi
 fi