Compare commits

...

48 commits

Author SHA1 Message Date
e296b8a627
support forgejo actions
Some checks failed
/ deployment_keys_demo (macOS-latest) (push) Has been cancelled
/ deployment_keys_demo (ubuntu-latest) (push) Has been cancelled
/ deployment_keys_demo (windows-latest) (push) Has been cancelled
/ docker_demo (push) Has been cancelled
2024-10-20 10:09:00 -04:00
Matthias Pigulla
dc588b651f
Update version numbers in the README examples 2024-02-06 10:28:20 +01:00
Kevin Glavin
204eb35a4e
Bump to node20 (#201)
Fix for deprecated node16

Node.js 16 actions are deprecated. Please update the following actions
to use Node.js 20: webfactory/ssh-agent@v0.8.0. For more information
see:
https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/
2024-02-06 10:26:21 +01:00
Felix Seifert
9f6f312a31
chore: update all versions of actions/checkout to v4 (#199)
In this PR, I update the `actions/checkout` versions. When I recently
started using this action, I was confused about whether it works with
the newest checkout action. I tested it and everything is fine. For
future users, we should display examples with the newest versions.
2024-02-06 09:38:02 +01:00
Benjamin Ragheb
2e59dd7d06
Remove outdated claim from README (#206)
Since #171 was merged, this action no longer touches `known_hosts`; this
line should have been removed from the README at that time.
2024-02-05 07:37:14 +01:00
wolf++
fd34b8dee2
Update README.md to reflect latest version (#196) 2023-11-02 17:03:13 +01:00
Matthias Pigulla
d4b9b8ff72
Stop adding GitHub SSH keys (#171)
We need to fix the SSH keys shipped with this action:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

But, we have another issue
(https://github.com/webfactory/ssh-agent/pull/108) with regards to host
keys: On self-hosted runners which are not ephemeral the known_host file
fills up with repeated entries, because every action run adds a new line
with the same host keys.

Also, on those machines, the old key will still be in the `known_hosts`
file.

IMHO this action should not be repsonsible for shipping SSH host keys,
that's too much responsibility.

This section in the code is a leftover from early days when GitHub
provided runners did not include SSH keys at all. For a long time
already, GH takes care of placing their SSH keys in their runner images.

For self-hosted runners, those people setting up the runner should fetch
and verify SSH keys themselves and put it into the `known_hosts` file.

I know this is a breaking change and is going to annoy users. But on the
other hand, there is no better opportunity to drop this feature than
with an emergency-style key revocation as today.

Closes #106, closes #129, closes #169, closes #170, closes #172.
2023-03-24 12:15:25 +01:00
Dilum Aluthge
ea17a056b9
Add missing semicolons (#159)
Follow-up to #154
2023-01-28 08:20:24 +01:00
j-riebe
9fbc246995
Clarify usage for Docker build processes, especially with deployment keys (#145)
The current docs mention only `docker/build-push-action` in conjunction
with deploy keys.

This might mislead users to believe, that this only applies to said
Action. But the concept applies to all workflows that somehow use
`docker build` with deploy keys.

This PR clarifies the relevant section.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2023-01-27 18:32:35 +01:00
Dilum Aluthge
6f828ccb51
Allow the user to override the commands for git, ssh-agent, and ssh-add (#154)
On my self-hosted Windows runners, the `git`, `ssh-agent`, and `ssh-add`
commands are not located in the locations that are currently hard-coded
in `paths.js`.

With this PR, I am able to get this action to work on my runners as
follows:

```yaml
- uses: webfactory/ssh-agent@...
  with:
    ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
    git-cmd: git
    ssh-agent-cmd: ssh-agent
    ssh-add-cmd: ssh-add
```
2023-01-27 18:09:18 +01:00
kjarkur
209e2d72ff
Fix a typo in the README.md (#146) 2022-11-25 19:45:57 +01:00
kjarkur
18ff7066d3
Update README.md (#147)
Update `actions/checkout` to `@v3` and make it syntactically correct in order to allow copy and paste.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2022-11-25 19:44:41 +01:00
Patrick Higgins
2996779c08
Replace 0.6.0 references with 0.7.0 in README.md (#153) 2022-11-25 19:40:39 +01:00
Matthias Pigulla
4512be8010
Update to actions/checkout@v3 (#143) 2022-10-25 17:23:31 +02:00
Matthias Pigulla
836c84ec59
Prepare a v0.7.0 release 2022-10-19 13:52:25 +00:00
Matthias Pigulla
8a9e20a586
Fix path to git binary on Windows runners (#140)
This PR fixes an apparently wrong path to the `git` binary that was added in #136. 

According to https://github.com/actions/checkout/discussions/928#discussioncomment-3861581, the path should not contain the `usr/` part, although for `ssh-add` and `ssh-agent`, it has to.
2022-10-19 14:55:54 +02:00
Matthias Pigulla
0a7dc1c09f
Avoid nonsensical log message (#139)
This change avoids the

`Comment for (public) key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`

log message that was caused by inappropriate parsing of `ssh-add -L` output and confused a lot of users already.
2022-10-19 14:54:52 +02:00
j-riebe
b19b28d091
Explain how to use docker/build-push-action with deployment-key configs (#133)
This PR adds a recipe for using `docker/build-push-action` with multiple Deploy Keys (#78) to the docs.
2022-10-19 13:32:32 +02:00
Matthias Pigulla
2c78a1c5d1
Update the CHANGELOG 2022-10-19 11:28:57 +00:00
Oktawian Chojnacki
df2f741a87
Provide gitPath for Windows to avoid failures on windows-2022 (GitHub-hosted runner) (#137)
### Problem:
Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found.

### Issue: 

Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 

### Solution:
This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems.

### Caveats:
No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does).
2022-10-19 13:27:50 +02:00
Camilo Celis Guzman
fbef2c7bd0
Add an action input/flag to disable logging of public key information (#122)
This commit adds the new `log-public-key` action input.

Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2022-10-19 10:42:05 +00:00
Matthias Pigulla
28cb4d8505
Prepare a 0.6.0 release 2022-10-19 08:17:39 +00:00
Chung Tran
ea4c593dc9
Update node from node12 to node16 (#132)
This addresses the deprecation of Node 12 in GHA (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
2022-10-19 10:16:47 +02:00
Dan Walkes
26e485b72d
Fix link to an issue in the README file (#120) 2022-09-01 09:03:13 +02:00
dependabot[bot]
5a6c248f3f
Bump @actions/core from 1.2.6 to 1.9.1 (#125)
* Bump @actions/core from 1.2.6 to 1.9.1

Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.2.6 to 1.9.1.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the copyright year

* yarn.lock syntax updates

* Rebuild dist/

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2022-09-01 09:02:13 +02:00
Sebastian Kugler
53715f806b
Merge pull request #109 from koshieguchi/fix_a_typo_in_README
Fix a typo in README.md
2022-02-10 08:50:57 +01:00
Koshi Eguchi
19a5c6646f Fix a typo in README.md 2022-02-10 15:26:18 +09:00
Matthias Pigulla
fc49353b67
Bump example version numbers in the README file 2021-11-20 11:43:25 +00:00
Matthias Pigulla
bc6614de94
Update recent changes in the CHANGELOG file 2021-11-20 11:43:02 +00:00
J.R. Mash
dc622c59e4
Update to Reflect Supported GitHub Host Keys (#102)
Closes #101 as well.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2021-11-20 12:21:38 +01:00
John Hamelink
97348a2ec6
Document on how to integrate with docker/build-push-action (#90)
This change adds some extra clarification to the documentation to show how to setup the `docker/build-push-action` step with this action. This is very helpful when using buildkit's `RUN --mount=type=ssh`. We found this to be a little confusing and the GH issues we found on the matter didn't help!

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2021-11-18 12:27:08 +01:00
Ror
bbd5513ed5
Better explain in the README how to set up keys in repositories (#96) 2021-11-18 11:58:33 +01:00
Matthias Pigulla
a652a400f2
Merge pull request #95 from mjhipp/mh_public_key_comment 2021-09-01 21:28:09 +02:00
Michael Hipp
1711bb1971 Update GitHub deploy key log comment to specify public key 2021-09-01 11:40:04 -07:00
Matthias Pigulla
5f066a372e
Prepare a 0.5.3 release 2021-06-11 15:18:45 +02:00
Maciej Pasternacki
a45226bfaf
Use execFileSync to clean up (#80)
execSync just started a second ssh-agent. `['-k']` argument was
treated as options, it didn't have `stdio` set, so stdio was piped and
returned (and ignored).
2021-06-11 15:17:22 +02:00
Matthias Pigulla
81d965f2bd
Tix a fypo 2021-06-03 23:33:40 +02:00
Matthias Pigulla
515d164e78
Run cleanup (post) step also on failure (#79)
According to https://github.com/actions/runner/issues/987, this should run the post step (cleanup.js) also when a workflow fails.

Probably most important on self-hosted runners that are not ephemeral, to terminate SSH agents from failed jobs as well.
2021-06-02 22:15:05 +02:00
Matthias Pigulla
8569bedfe0 Mention "-scmProvider system" for XCode builds/Swift Package Manager
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
2021-05-27 20:11:56 +00:00
Matthias Pigulla
98f76b1158 Give an example of how to add a key comment
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
2021-05-27 20:05:28 +00:00
Matthias Pigulla
cb8b21017a
Update version numbers in README for the next bugfix release 2021-04-07 12:30:27 +02:00
Matthias Pigulla
aed5400f20 Log when a key is _not_ used as a deploy key
Resolves #69.

Co-authored-by: Sean Killeen <SeanKilleen@gmail.com>
2021-03-17 18:50:49 +00:00
Matthias Pigulla
4681241867 Use case-insensitive regex matching when scanning key comments
Resolves #68, closes #70, closes #71.

Co-authored-by: Sean Killeen <SeanKilleen@gmail.com>
2021-03-17 18:27:52 +00:00
Matthias Pigulla
4b6f4eb000
Windows virtual environment: Use SSH binaries from the Git suite (#63)
* Use SSH binaries from the Git suite

* Try to kill the ssh-agent upon action termination on Windows as well
2021-03-10 08:19:17 +01:00
Matthias Pigulla
795485730f
Prepare 0.5.1 release 2021-03-10 08:17:18 +01:00
Matthias Pigulla
598c7ea894 Handle ENOENT exceptions with a graceful message 2021-03-05 20:17:14 +00:00
Shashank Patidar
65d1ea3d90 Mention that container-based workflows need to have ssh packages installed
Co-authored-by: Shashank Patidar <74622220+shashank11p@users.noreply.github.com>
2021-03-05 20:11:48 +00:00
Cecile Tonglet
5f95203cea
Add note about using cargo with private dependencies (#64)
* Add note about using cargo with private dependencies

* Update doc to mention Windows only

* Add alternative workaround

* Create extra main section for tips and information regarding different languages/tools

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
2021-03-04 12:49:35 +01:00
11 changed files with 55061 additions and 602 deletions

View file

@ -1,50 +1,14 @@
on: [push, pull_request]
on: [ push, pull_request ]
jobs:
single_key_demo:
strategy:
matrix:
os: [ubuntu-latest, macOS-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- name: Setup key
uses: ./
with:
ssh-private-key: |
${{ secrets.DEMO_KEY }}
${{ secrets.DEMO_KEY_2 }}
multiple_keys_demo:
strategy:
matrix:
os: [ubuntu-latest, macOS-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- name: Setup key
uses: ./
with:
ssh-private-key: ${{ secrets.DEMO_KEY }}
docker_demo:
runs-on: ubuntu-latest
container:
image: ubuntu:latest
steps:
- uses: actions/checkout@v2
- run: apt update && apt install -y openssh-client
- name: Setup key
uses: ./
with:
ssh-private-key: |
${{ secrets.DEMO_KEY }}
${{ secrets.DEMO_KEY_2 }}
deployment_keys_demo:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, macOS-latest, windows-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Setup key
uses: ./
with:
@ -58,3 +22,25 @@ jobs:
git clone https://github.com/mpdude/test-2.git test-2-http
git clone git@github.com:mpdude/test-2.git test-2-git
git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
docker_demo:
runs-on: ubuntu-latest
container:
image: ubuntu:latest
steps:
- uses: actions/checkout@v4
- run: apt update && apt install -y openssh-client git
- name: Setup key
uses: ./
with:
ssh-private-key: |
${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
- run: |
git clone https://github.com/mpdude/test-1.git test-1-http
git clone git@github.com:mpdude/test-1.git test-1-git
git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
git clone https://github.com/mpdude/test-2.git test-2-http
git clone git@github.com:mpdude/test-2.git test-2-git
git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh

View file

@ -7,6 +7,82 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## v0.7.0 [2022-10-19]
### Added
* Add the `log-public-key` input that can be used to turn off logging key identities (#122)
### Fixed
* Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137)
* Fix a nonsensical log message (#139)
## v0.6.0 [2022-10-19]
### Changed
* Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
## v0.5.4 [2021-11-21]
### Fixed
* Update changed GitHub Host Keys (#102, #101)
### Changed
* Various documentation (README) improvements and additions
* Change logging to more precisely state that _public_ keys are being printed
## v0.5.3 [2021-06-11]
### Fixed
* Fixed cleanup phase to really terminate the ssh-agent (#80)
* Fix termination of ssh-agent also on workflow failure (#79)
### Changed
* Various documentation (README) improvements and additions
## v0.5.2 [2021-04-07]
### Fixed
* Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
### Changed
* Log when a key is _not_ used as a deploy key (#69)
## v0.5.1 [2021-03-10]
### Fixed
* Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
suite, terminate ssh-agent upon actio termination on Windows as well (#63)
* Handle ENOENT exceptions with a graceful message
### Changed
* Various documentation (README) improvements and additions
## v0.5.0 [2021-02-19]
### Added
* Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
* Support for container-based workflows and Windows (#17)
### Fixed
* Fix scripts/build.js to work on Windows (#38)
### Changed
* Various documentation (README) improvements and additions
## v0.4.1 [2020-10-07]
### Fixed

144
README.md
View file

@ -2,9 +2,8 @@
This action
* starts the `ssh-agent`,
* exports the `SSH_AUTH_SOCK` environment variable,
* loads one or several private SSH key into the agent and
* configures `known_hosts` for GitHub.com.
* exports the `SSH_AUTH_SOCK` environment variable, and
* loads one or several private SSH key into the agent.
It should work in all GitHub Actions virtual environments, including container-based workflows.
@ -20,11 +19,14 @@ GitHub Actions only have access to the repository they run for. So, in order to
## Usage
1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
1. Generate a new SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
2. Make sure you don't have a passphrase set on the private key.
3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
3. Add the public SSH key to the private repository you are pulling from during the Github Action as a 'Deploy Key'.
4. Add the private SSH key to the repository triggering the Github Action:
* In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`.
* Put the contents of the *private* SSH key file into the contents field. <br>
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v4` line.
```yaml
# .github/workflows/my-workflow.yml
@ -32,13 +34,12 @@ jobs:
my_job:
...
steps:
- actions/checkout@v2
# Make sure the @v0.5.0 matches the current version of the
# action
- uses: webfactory/ssh-agent@v0.5.0
- uses: actions/checkout@v4
# Make sure the @v0.9.0 matches the current version of the action
- uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- ... other steps
# ... other steps
```
5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
@ -49,8 +50,8 @@ There are cases where you might need to use multiple keys. For example, "[deploy
You can set up different keys as different secrets and pass them all to the action like so:
```yaml
# ... contens as before
- uses: webfactory/ssh-agent@v0.5.0
# ... contents as before
- uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: |
${{ secrets.FIRST_KEY }}
@ -68,12 +69,24 @@ When using **Github deploy keys**, GitHub servers will accept the _first_ known
To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. (Hint: Try `ssh-keygen ... -C "git@github.com:owner/repo.git"`.)
2. After keys have been added to the agent, this action will scan the key comments.
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
## Action Inputs
The following inputs can be used to control the action's behavior:
* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
* `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary.
* `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary.
* `git-cmd`: Optional. Use this to specify a custom location for the `git` binary.
## Exported variables
The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
@ -90,6 +103,101 @@ If the private key is not in the `PEM` format, you will see an `Error loading ke
Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉.
## Additional Information for Particular Tools or Platforms
If you know that your favorite tool or platform of choice requires extra tweaks or has some caveats when running with SSH, feel free to open a PR to amend this section here.
### Container-based Workflows
If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
### Building Docker Images and/or Using the `docker/build-push-action` Action
When you are building Docker images with `docker build` or `docker compose build` and need to provide the SSH keys to the build, don't forget to pass `--ssh default=${{ env.SSH_AUTH_SOCK }}` on the command line to pass the SSH agent socket through. See the [Docker documentation](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) for more information on this option.
If you are using the `docker/build-push-action`, you can do so by adding the following config.
```yml
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
Make sure not to miss the next section, though.
### Using Multiple Deploy Keys Inside Docker Builds
When you pass the SSH agent socket to the Docker build environment _and_ want to use multiple GitHub deploy keys, you need to copy the Git and SSH configuration files to the build environment as well. This is necessary _in addition to_ forwarding the SSH agent socket into the build process. The config files are required so that Git can pick the right one from your deployment keys.
This requires an additional step in the workflow file **after** the `ssh-agent` step and **before** the Docker build step. You also need two additional lines in the `Dockerfile` to actually copy the configs.
The following example will:
* collect the necessary Git and SSH configuration files in a directory that must be part of the Docker build context so that...
* ... the files can be copied into the Docker image (or an intermediate build stage).
Workflow:
```yml
- name: ssh-agent setup
...
- name: Collect Git and SSH config files in a directory that is part of the Docker build context
run: |
mkdir root-config
cp -r ~/.gitconfig ~/.ssh root-config/
- name: Docker build
# build-push-action | docker [compose] build | etc.
...
```
Dockerfile:
```Dockerfile
# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
```
Keep in mind that the resulting Docker image now might contain these customized Git and SSH configuration files! Your private SSH keys are never written to files anywhere, just loaded into the SSH agent and forwarded into the container. The config files might, however, give away details about your build or development process and contain the names and URLs of your (private) repositories. You might want to use a multi-staged build to make sure these files do not end up in the final image.
If you still get the error message: `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.`, you most likely forgot one of the steps above.
### Cargo's (Rust) Private Dependencies on Windows
If you are using private repositories in your dependencies like this:
```
stuff = { git = "ssh://git@github.com/myorg/stuff.git", branch = "main" }
```
... you will need to change a configuration in the workflow for Windows machines in order to make cargo able to clone private repositories.
There are 2 ways you can achieve this:
1. Add this step once in your job **before** any cargo command:
```
- name: Update cargo config to use Git CLI
run: Set-Content -Path $env:USERPROFILE\.cargo\config.toml "[net]`ngit-fetch-with-cli = true"
```
This will configure Cargo to use the Git CLI as explained in the [Cargo's documentation](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli).
2. Alternatively you can set it to the environment variables for the entire workflow:
```
env:
CARGO_NET_GIT_FETCH_WITH_CLI: true
```
### Using Deploy Keys with Swift Package Manager
`xcodebuild` by default uses Xcode's built-in Git tooling. If you want to use GitHub Deploy Keys as supported by this action, however, that version of Git will lack the necessary URL remapping. In this case, pass `-scmProvider system` to the `xcodebuild` command, as mentioned in [Apple's documentation](https://developer.apple.com/documentation/swift_packages/building_swift_packages_or_apps_that_use_them_in_continuous_integration_workflows#3680255).
## What this Action *cannot* do for you
The following items are not issues, but beyond what this Action is supposed to do.
@ -100,7 +208,7 @@ When using `ssh` to connect from the GitHub Action worker node to another machin
### Provide the SSH Key as a File
This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11).
This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see https://github.com/webfactory/ssh-agent/issues/11).
### Run `ssh-keyscan` to Add Host Keys for Additional Hosts
@ -111,7 +219,7 @@ As a side note, using `ssh-keyscan` without proper key verification is susceptib
## Creating SSH Keys
In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html).
If you need to work with some older server software and need RSA keys, tr `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
If you need to work with some older server software and need RSA keys, try `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
Both commands will prompt you for a key passphrase and save the key in `path/to/keyfile`.
In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't
@ -163,4 +271,4 @@ developer looking for new challenges, we'd like to hear from you!
- <https://www.webfactory.de>
- <https://twitter.com/webfactory>
Copyright 2019 2021 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
Copyright 2019 2023 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

View file

@ -4,12 +4,40 @@ inputs:
ssh-private-key:
description: 'Private SSH key to register in the SSH agent'
required: true
instance-urls:
description: |-
URL(s) of the Forgejo instance to use. Due to limitations with Forgejo Actions inputs, this is specified as a string.
You can specify multiple instance URLs by putting each one on a separate line.
```yaml
secrets: |-
forgejo.org
codeberg.org
```
required: false
default: 'forgejo.org'
ssh-auth-sock:
description: 'Where to place the SSH Agent auth socket'
log-public-key:
description: 'Whether or not to log public key fingerprints'
required: false
default: true
ssh-agent-cmd:
description: 'ssh-agent command'
required: false
ssh-add-cmd:
description: 'ssh-add command'
required: false
git-cmd:
description: 'git command'
required: false
runs:
using: 'node12'
using: 'node20'
main: 'dist/index.js'
post: 'dist/cleanup.js'
post-if: 'always()'
branding:
icon: loader
color: 'yellow'

View file

@ -1,10 +1,11 @@
const core = require('@actions/core')
const { execSync } = require('child_process')
const core = require('@actions/core');
const { execFileSync } = require('child_process');
const { sshAgentCmd } = require('./paths.js');
try {
// Kill the started SSH agent
console.log('Stopping SSH agent')
execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
console.log('Stopping SSH agent');
execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
} catch (error) {
console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway');

27471
dist/cleanup.js vendored

File diff suppressed because one or more lines are too long

27648
dist/index.js vendored

File diff suppressed because one or more lines are too long

113
index.js
View file

@ -1,11 +1,21 @@
const core = require('@actions/core');
const child_process = require('child_process');
const fs = require('fs');
const os = require('os');
const crypto = require('crypto');
const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = require('./paths.js');
try {
const privateKey = core.getInput('ssh-private-key');
const instanceUrls = core.getInput('instance-urls', { required: true });
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
const sshAddCmdInput = core.getInput('ssh-add-cmd');
const gitCmdInput = core.getInput('git-cmd');
const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault;
const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault;
const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault;
if (!privateKey) {
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@ -13,79 +23,80 @@ try {
return;
}
var home;
if (process.env['OS'] == 'Windows_NT') {
console.log('Preparing ssh-agent service on Windows');
child_process.execSync('sc config ssh-agent start=demand', { stdio: 'inherit' });
home = os.homedir();
} else {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
var { homedir: home } = os.userInfo();
}
const homeSsh = home + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
const homeSsh = homePath + '/.ssh';
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent");
const authSock = core.getInput('ssh-auth-sock');
let sshAgentOutput = ''
if (authSock && authSock.length > 0) {
sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
} else {
sshAgentOutput = child_process.execFileSync('ssh-agent')
}
const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
// Extract auth socket path and agent pid and set them as job variables
const lines = sshAgentOutput.toString().split("\n")
for (const lineNumber in lines) {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
if (matches && matches.length > 0) {
core.exportVariable(matches[1], matches[2])
}
}
child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
console.log("Adding private key to agent");
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
child_process.execSync('ssh-add -', { input: key.trim() + "\n" });
if (matches && matches.length > 0) {
// This will also set process.env accordingly, so changes take effect for this script
core.exportVariable(matches[1], matches[2])
console.log(`${matches[1]}=${matches[2]}`);
}
});
console.log("Keys added:");
child_process.execSync('ssh-add -l', { stdio: 'inherit' });
console.log("Adding private key(s) to agent");
child_process.execFileSync('ssh-add', ['-L']).toString().split(/\r?\n/).forEach(function(key) {
let parts = key.match(/\bgithub.com[:/](.*)(?:\.git)?\b/);
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
});
if (parts == null) {
console.log("Key(s) added:");
child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
console.log('Configuring deployment key(s)');
const instanceUrlsArray = instanceUrls.split(/\r?\n/);
instanceUrlsArray.forEach(instanceUrl => {
const urlPattern = new RegExp(`\\b${instanceUrl.replace(/\./g, '\\.')}[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)`, 'i');
child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
const parts = key.match(urlPattern);
if (!parts) {
if (logPublicKey) {
console.log(`Comment for (public) key '${key}' does not match ${instanceUrl} URL pattern. Not treating it as a deploy key for ${instanceUrl}.`);
}
return;
}
let ownerAndRepo = parts[1];
let sha256 = crypto.createHash('sha256').update(key).digest('hex');
const sha256 = crypto.createHash('sha256').update(key).digest('hex');
const ownerAndRepo = parts[1].replace(/\.git$/, '');
fs.writeFileSync(`${homeSsh}/${sha256}`, key + "\n", { mode: '600' });
fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
child_process.execSync(`git config --global --replace-all url."git@${sha256}:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@${sha256}:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@${sha256}:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
const keyHostname = `key-${sha256}.${instanceUrl}`;
let sshConfig = `\nHost ${sha256}\n`
+ ` HostName github.com\n`
+ ` User git\n`
+ ` IdentityFile ${homeSsh}/${sha256}\n`
child_process.execSync(`${gitCmd} config --global --replace-all url."git@${keyHostname}:${ownerAndRepo}".insteadOf "https://${instanceUrl}/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@${keyHostname}:${ownerAndRepo}".insteadOf "git@${instanceUrl}:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@${keyHostname}:${ownerAndRepo}".insteadOf "ssh://git@${instanceUrl}/${ownerAndRepo}"`);
const sshConfig = `\nHost ${keyHostname}\n`
+ ` HostName ${instanceUrl}\n`
+ ` IdentityFile ${homeSsh}/key-${sha256}\n`
+ ` IdentitiesOnly yes\n`;
fs.appendFileSync(`${homeSsh}/config`, sshConfig);
console.log(`Added deploy-key mapping: Use key "${key}" for GitHub repository ${ownerAndRepo}`);
console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for ${instanceUrl} repository ${ownerAndRepo}`);
});
});
} catch (error) {
if (error.code == 'ENOENT') {
console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
console.log(`PATH is set to: ${process.env.PATH}`);
}
core.setFailed(error.message);
}

View file

@ -1,14 +1,14 @@
{
"name": "webfactory-action-ssh-agent",
"repository": "git@github.com:webfactory/ssh-agent.git",
"repository": "git@www.coastalcommits.com:actions/ssh-agent.git",
"description": "GitHub Action to set up ssh-agent with a private SSH key",
"version": "0.1.0",
"version": "0.7.0",
"main": "index.js",
"author": "webfactory GmbH <info@webfactory.de>",
"license": "MIT",
"devDependencies": {
"@actions/core": "^1.2.4",
"@zeit/ncc": "^0.20.5"
"@actions/core": "^1.9.1",
"@vercel/ncc": "^0.38.2"
},
"scripts": {
"build": "node scripts/build.js"

16
paths.js Normal file
View file

@ -0,0 +1,16 @@
const os = require('os');
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
homePath: os.userInfo().homedir,
sshAgentCmdDefault: 'ssh-agent',
sshAddCmdDefault: 'ssh-add',
gitCmdDefault: 'git'
} : {
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmdDefault: 'c://progra~1//git//bin//git.exe'
};

View file

@ -2,12 +2,52 @@
# yarn lockfile v1
"@actions/core@^1.2.4":
version "1.2.6"
resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09"
integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==
"@actions/core@^1.9.1":
version "1.11.1"
resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.11.1.tgz#ae683aac5112438021588030efb53b1adb86f172"
integrity sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==
dependencies:
"@actions/exec" "^1.1.1"
"@actions/http-client" "^2.0.1"
"@zeit/ncc@^0.20.5":
version "0.20.5"
resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.20.5.tgz#a41af6e6bcab4a58f4612bae6137f70bce0192e3"
integrity sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==
"@actions/exec@^1.1.1":
version "1.1.1"
resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-1.1.1.tgz#2e43f28c54022537172819a7cf886c844221a611"
integrity sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==
dependencies:
"@actions/io" "^1.0.1"
"@actions/http-client@^2.0.1":
version "2.2.3"
resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.2.3.tgz#31fc0b25c0e665754ed39a9f19a8611fc6dab674"
integrity sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==
dependencies:
tunnel "^0.0.6"
undici "^5.25.4"
"@actions/io@^1.0.1":
version "1.1.3"
resolved "https://registry.yarnpkg.com/@actions/io/-/io-1.1.3.tgz#4cdb6254da7962b07473ff5c335f3da485d94d71"
integrity sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==
"@fastify/busboy@^2.0.0":
version "2.1.1"
resolved "https://registry.yarnpkg.com/@fastify/busboy/-/busboy-2.1.1.tgz#b9da6a878a371829a0502c9b6c1c143ef6663f4d"
integrity sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==
"@vercel/ncc@^0.38.2":
version "0.38.2"
resolved "https://registry.yarnpkg.com/@vercel/ncc/-/ncc-0.38.2.tgz#d35c3a74c671699ccf316f74bf0ecab6b60e312b"
integrity sha512-3yel3jaxUg9pHBv4+KeC9qlbdZPug+UMtUOlhvpDYCMSgcNSrS2Hv1LoqMsOV7hf2lYscx+BESfJOIla1WsmMQ==
tunnel@^0.0.6:
version "0.0.6"
resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c"
integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==
undici@^5.25.4:
version "5.28.4"
resolved "https://registry.yarnpkg.com/undici/-/undici-5.28.4.tgz#6b280408edb6a1a604a9b20340f45b422e373068"
integrity sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==
dependencies:
"@fastify/busboy" "^2.0.0"