fix: return clear error when --private-key-file path starts with '~'

The tilde character is expanded by the shell, not by the Flux CLI, so
paths like ~/.ssh/id_ecdsa passed with =value syntax were opened
verbatim and failed with a confusing "no such file or directory" error.
Detect the leading '~' up front and surface a message pointing users at
absolute paths or $HOME instead. Fixes #5591.

Signed-off-by: Rafael Peroco <rafaelperoco@gmail.com>

cmd/flux/bootstrap_git.go

@@ -364,6 +364,9 @@ func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 			Password:  gitArgs.password,
 		}
 		if bootstrapArgs.privateKeyFile != "" {
+			if strings.HasPrefix(bootstrapArgs.privateKeyFile, "~") {
+				return nil, fmt.Errorf("failed to open private key file: path %q starts with '~' which is not expanded; use an absolute path or $HOME", bootstrapArgs.privateKeyFile)
+			}
 			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
 			if err != nil {
 				return nil, err

cmd/flux/create_secret_git_test.go

@@ -56,6 +56,11 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
 			assert: assertError("user credentials and bearer token cannot be used together"),
 		},
+		{
+			name:   "ssh key with tilde path",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=~/.ssh/id_ecdsa --namespace=my-namespace --export",
+			assert: assertError(`failed to open private key file: path "~/.ssh/id_ecdsa" starts with '~' which is not expanded; use an absolute path or $HOME`),
+		},
 	}
 
 	for _, tt := range tests {