refactor: Migrate sshkey handlers to WithTx

[chet]

Description

Apply the WithTx pattern from #462 to the Create/Update/Delete sshkey handlers. The post-commit SyncSSHKeyGroup workflow triggers stay outside the closure (so their log-and-continue error handling doesn't roll back the tx).

Keeping these PRs smaller and tightly scoped so they're:

• In theory a little easier to read.
• More tightly scoped/less "blast radius" per PR.
• A little nicer on/for @coderabbitai. 😆

I do I wish the diffs were easier to read, but it is what it is!

Signed-off-by: Chet Nichols III chetn@nvidia.com

Type of Change

• Feature - New feature or functionality (feat:)
• Fix - Bug fixes (fix:)
• Chore - Modification or removal of existing functionality (chore:)
• Refactor - Refactoring of existing functionality (refactor:)
• Docs - Changes in documentation or OpenAPI schema (docs:)
• CI - Changes in GitHub workflows. Requires additional scrutiny (ci:)
• Version - Issuing a new release version (version:)

Services Affected

• API - API models or endpoints updated
• Workflow - Workflow service updated
• DB - DB DAOs or migrations updated
• Site Manager - Site Manager updated
• Cert Manager - Cert Manager updated
• Site Agent - Site Agent updated
• RLA - RLA service updated
• Powershelf Manager - Powershelf Manager updated
• NVSwitch Manager - NVSwitch Manager updated

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0cb9ed5e-2055-4dff-8e26-e9d2e6fa0ef4

📥 Commits

Reviewing files that changed from the base of the PR and between 3762e78 and e013a80.

📒 Files selected for processing (1)

• api/pkg/api/handler/sshkey.go

---

Summary by CodeRabbit

• Refactor
  • Improved transaction handling and error routing for SSH key create, update, and delete operations to increase reliability.
  • Consolidated and deduplicated group status and status-detail updates to avoid redundant operations.
  • Post-operation workflows now skip groups and site associations already marked for deletion; public API surface and user-facing behavior remain unchanged.

Walkthrough

Consolidates transactional work for Create, Update, and Delete SSH key HTTP handlers by moving DB operations, advisory locks, association CRUD, group version/status and status-detail writes into cdb.WithTx closures, routing transaction errors through common.HandleTxError, and adjusting post-commit workflow triggering to skip entities in Deleting state.

Changes

SSH Key Handlers — Transactional Consolidation

Layer / File(s)	Summary
Data & Imports api/pkg/api/handler/sshkey.go	Replaced manual database/sql Begin/Rollback/Commit control flow with cdb.WithTx; declared transaction-scoped variables (dbsk, skgsas, etc.) outside closures as needed.
Create handler (transaction body) api/pkg/api/handler/sshkey.go (create region, lines ~223-301)	SSH key insert plus optional SSHKeyGroup association creation, per-group advisory lock acquisition, group version generation/update, group status set to Syncing, and status-detail creation are executed inside WithTx.
Update handler (transaction body) api/pkg/api/handler/sshkey.go (update region, lines ~470-495)	SSH key field updates and retrieval of associated SSH key associations are performed inside a WithTx closure; transactional errors are routed via common.HandleTxError.
Delete handler (transaction body) api/pkg/api/handler/sshkey.go (delete region, lines ~911-995)	Retrieves SSH key associations, acquires per-group advisory locks, deletes SSH key associations, conditionally omits groups in Deleting state from version/status updates, deletes the SSH key, and collects SSHKeyGroup IDs for resync — all within WithTx.
Deduplication & Status writes api/pkg/api/handler/sshkey.go (delete region)	Per-group updates in the delete flow are deduplicated with a seenGroups map so version bumps, status set, and status-detail writes occur once per unique SSHKeyGroup.
Post-transaction workflow gating api/pkg/api/handler/sshkey.go (post-commit loop, lines ~999-1001)	After commit, workflow/sync triggers iterate collected groups/sites but now skip SSHKeyGroups with Deleting status and site associations whose status is Deleting.
Error handling api/pkg/api/handler/sshkey.go	All transactional failures from WithTx are handled consistently via common.HandleTxError, replacing prior manual rollback/commit handling.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main refactoring effort: migrating SSH key handlers to the WithTx transaction pattern.
Description check	✅ Passed	The description is well-structured and directly related to the changeset, explaining the WithTx pattern application and rationale for keeping workflow triggers outside the transaction closure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-05-02 06:11:13 UTC | Commit: fe28e16}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@api/pkg/api/handler/sshkey.go`:
- Around line 954-974: The loop over skgsasToSync currently performs identical
SSHKeyGroup-level updates and status-detail creations once per site-association,
causing duplicate writes; instead, first deduplicate skgsasToSync by
SSHKeyGroupID (e.g., build a set/map of unique skg IDs from skgsasToSync), then
for each unique SSHKeyGroupID call skgDAO.Update(...) to set Status to Syncing
and call sdDAO.CreateFromParams(...) once per group; after those group-level
writes, iterate the original skgsasToSync for per-site workflow/dispatch work
only, leaving skgDAO.Update and sdDAO.CreateFromParams out of that per-site
loop.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f698d291-504e-446c-8d40-cb2cea9c9920

📥 Commits

Reviewing files that changed from the base of the PR and between bce7503 and fe28e16.

📒 Files selected for processing (1)

• api/pkg/api/handler/sshkey.go

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-nsm	64	2	20	33	9	0
nico-psm	56	4	29	13	2	8
nico-rest-api	57	4	30	13	2	8
nico-rest-cert-manager	54	4	28	13	1	8
nico-rest-db	55	4	28	13	2	8
nico-rest-site-agent	54	4	28	13	1	8
nico-rest-site-manager	54	4	28	13	1	8
nico-rest-workflow	56	4	29	13	2	8
nico-rla	55	4	28	13	2	8
TOTAL	505	34	248	137	22	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@api/pkg/api/handler/sshkey.go`:
- Around line 278-281: The Create handler incorrectly returns an API error
message saying "Failed to delete SSH Key Groups"; change the error text to
reflect the actual operation (e.g., "Failed to update SSH Key Groups") so the
cutil.NewAPIError(...) call and any adjacent log messages
(logger.Error().Err(derr).Msg(...)) consistently describe the update/create
action for SSH Key Groups in sshkey.go.
- Around line 972-975: The API returns a misleading message "Failed to delete
SSH Key Groups" after a DB update error; update the error text passed to
cutil.NewAPIError to accurately describe the operation (e.g., "Failed to update
SSH Key Group status" or "Failed to set SSH Key Group to Syncing") and ensure
other related messages (the logger.Error() call with "error updating SSH Key
Group in DB") remain consistent; locate the failing block using
logger.Error().Err(derr).Msg(...) and cutil.NewAPIError(...) in sshkey.go and
replace the deletion message with the accurate update/syncing message.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3cef4c67-ddab-4254-ac60-398c8a15e0d9

📥 Commits

Reviewing files that changed from the base of the PR and between fe28e16 and 9b92d86.

📒 Files selected for processing (1)

• api/pkg/api/handler/sshkey.go

[thossain-nv]

Thanks @chet, left one suggestion.

[thossain-nv]

We tend to separate obtaining error and the conditional into 2 statements. In this case the condition is simple, but the cognitive complexity increase when multiple variables are involved in condition evaluation. So we just always separate them as a general pattern.

[chet]

@thossain-nv yeah understood! fixed