Support changing the fwup task via SSH

[Copilot]

• Analyze issue: Support changing the task that gets run via ssh
• Implement task selection via SSH's SendEnv option
  • Add handler for env SSH messages to capture FWUP_TASK environment variable
  • Only accept FWUP_TASK env var for security (ignore other vars)
  • Validate task name to only allow safe characters (alphanumeric, underscore, hyphen)
  • Override task option when valid FWUP_TASK is received from client
  • Update mix upload to use -o SendEnv=FWUP_TASK when task is specified
  • Update upload.sh script to export FWUP_TASK and use SendEnv
• Update README documentation for new approach
• Update tests for SendEnv approach
• Address code review feedback on security validation

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support changing the task that gets run via ssh</issue_title>
<issue_description>This would be helpful for supporting advance tasks that aren't upgrades. Examples include pushing the ops.fw firmware to do things like validate partitions, erasing the data partition, or updating U-Boot environment variables with fwup. Another option is to run the complete task which while it isn't recommend, can be nice to try to see if you get lucky before removing MicroSD cards, etc.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Support changing the task that gets run via ssh #124

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[fhunleth]

lol, ok, this is actually clever. I'm not sure this is what we really want, but I'll leave it around since there could be a route here worth flushing out.

[fhunleth]

@copilot This is clever, but could you change this to use ssh's SendEnv option so that a subsystem doesn't need to be registered for every option?

[Copilot]

@copilot This is clever, but could you change this to use ssh's SendEnv option so that a subsystem doesn't need to be registered for every option?

Changed the implementation to use SSH's SendEnv option instead of registering multiple subsystems. Clients can now set FWUP_TASK environment variable and send it via -o SendEnv=FWUP_TASK. The server only accepts the FWUP_TASK variable and validates task names to only allow safe characters (alphanumeric, underscore, hyphen). Implemented in commits fbfa351 and 6546aeb.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• esm.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/https /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)