Compare commits

..

55 commits

Author SHA1 Message Date
Matthias Pigulla
2d8d48e56a Run only SSH 2021-03-03 07:38:23 +00:00
Matthias Pigulla
5a354bf325 Run windows only 2021-03-02 20:43:23 +00:00
Matthias Pigulla
6458b79183 Use another action for debugging 2021-03-02 20:33:48 +00:00
Matthias Pigulla
873b13078f Run tmate directly 2021-03-02 20:29:34 +00:00
Matthias Pigulla
3fc2400425 Debug 2021-03-02 20:28:33 +00:00
Matthias Pigulla
3715bc571d Use IdentitiesOnly=yes, because on Windows the wrong key was sent first (_but_: taken from the Agent) 2021-03-02 18:30:41 +00:00
Matthias Pigulla
71155bedbe Poke at things with a stick 2021-03-02 18:27:44 +00:00
Matthias Pigulla
10fed90131 Test whether we're using the wrong ssh client 2021-03-02 17:38:18 +00:00
Matthias Pigulla
d3770df27e Use IdentitiesOnly=yes always 2021-03-02 16:13:48 +00:00
Matthias Pigulla
7667967a0a Show loaded keys 2021-03-02 16:13:26 +00:00
Matthias Pigulla
c77dd5afd7 ... 2021-03-02 16:11:15 +00:00
Matthias Pigulla
a4b2891e37 Set DISPLAY to circumvent read_passphrase (?) 2021-03-02 16:07:52 +00:00
Matthias Pigulla
7cabdfc0cc Print cwd 2021-03-02 16:03:44 +00:00
Matthias Pigulla
da67187c5e use printenv (powershell?) 2021-03-02 16:03:17 +00:00
Matthias Pigulla
64510141b4 Print env 2021-03-02 16:01:37 +00:00
Matthias Pigulla
8cdc63104f Create /dev/tty on D: also 2021-03-02 15:55:31 +00:00
Matthias Pigulla
e0d767fd8e Make sure file creation works 2021-03-02 15:40:01 +00:00
Matthias Pigulla
feedd601c5 Fix Windows file path to use backslashes 2021-03-02 15:31:47 +00:00
Matthias Pigulla
e35dbcbae9 Work around another bug in OpenSSH on Windows 2021-03-02 15:29:19 +00:00
Matthias Pigulla
cbf6c2b3c2 Also try AddKeysToAgent=yes 2021-03-01 11:31:50 +00:00
Matthias Pigulla
2bcaae34da Avoid using a separate shell 2021-03-01 11:16:21 +00:00
Matthias Pigulla
f03f6e3358 Debug SSH_AUTH_SOCK 2021-03-01 11:05:21 +00:00
Matthias Pigulla
7d6e731f4a Use SSH_AUTH_SOCK in following ssh-add invocations 2021-03-01 10:59:34 +00:00
Matthias Pigulla
88bcf9af86 Use IdentitiesOnly=no 2021-03-01 10:53:18 +00:00
Matthias Pigulla
02a6899abb Keep output 2021-03-01 10:50:07 +00:00
Matthias Pigulla
5f971b8d4f Add askpass.c source code 2021-03-01 10:46:52 +00:00
Matthias Pigulla
ab7e1e8f32 Trigger workflows 2021-03-01 09:51:34 +00:00
Matthias Pigulla
7f61bbc4ae Use different ssh-add command for Windows/!Windows 2021-03-01 09:41:11 +00:00
Matthias Pigulla
2bde568a83 Trigger Actions 2021-03-01 09:35:32 +00:00
Matthias Pigulla
93c9b23aa1 Empty commit 2021-03-01 09:27:02 +00:00
Matthias Pigulla
1606d19f15 Preserve process.env so the PATH (and possibly other) vars are availabe 2021-03-01 09:24:06 +00:00
Matthias Pigulla
8addcca750 Debug with ngrok/ssh 2021-03-01 08:47:08 +00:00
Matthias Pigulla
166067472e More debugging 2021-03-01 08:35:43 +00:00
Matthias Pigulla
f78cad1cc7 Try to output ssh-add failure 2021-03-01 08:19:03 +00:00
Matthias Pigulla
ccd95b931d Use execSync instead of execFileSync 2021-03-01 08:16:26 +00:00
Matthias Pigulla
637f9c791e Fix execFileSync call 2021-03-01 08:15:05 +00:00
Matthias Pigulla
18f53866de Use absolute path for askpass.exe 2021-03-01 08:13:10 +00:00
Matthias Pigulla
c91aeeb123 Fake askpass 2021-03-01 08:09:30 +00:00
Matthias Pigulla
25b1b5d69f Compile Hello World on Windows 2021-03-01 07:33:08 +00:00
Matthias Pigulla
9406a51fa5 Remove stdio: 'inherit' 2021-02-28 16:07:26 +00:00
Matthias Pigulla
ef63fdb1df Fix syntax 2021-02-28 16:04:53 +00:00
Matthias Pigulla
7fc4d80a06 Debug output 2021-02-28 15:58:23 +00:00
Matthias Pigulla
9b7e80db62 Use exec 2021-02-28 15:55:23 +00:00
Matthias Pigulla
4d491fcb08 Fix ssh-add syntax (?) 2021-02-28 15:53:33 +00:00
Matthias Pigulla
1676d1f2a9 Use an askpass wrapper 2021-02-28 15:52:09 +00:00
Matthias Pigulla
3702096734 Try writing keys to disk and encrypting them 2021-02-28 15:05:09 +00:00
Matthias Pigulla
253819f283 Start another agent 2021-02-27 20:00:21 +00:00
Matthias Pigulla
231e859720 Re-add key to agent after setting passphrase 2021-02-27 19:54:52 +00:00
Matthias Pigulla
5e4ad4bcc8 Explicitly disable IdentitiesOnly 2021-02-27 18:25:44 +00:00
Matthias Pigulla
c56b9c4c81 Encrypt key on disk 2021-02-27 18:13:12 +00:00
Matthias Pigulla
d7353c1718 Write private key to file (does this work on Windows?) 2021-02-27 18:10:53 +00:00
Matthias Pigulla
bcd9c12595 Print key file name 2021-02-27 11:05:12 +00:00
Matthias Pigulla
ab4471f51e Remove steps that cause noise during debugging 2021-02-27 11:03:19 +00:00
Matthias Pigulla
05624726bc Remove "IdentitiesOnly" 2021-02-27 11:00:51 +00:00
Matthias Pigulla
2a421d8dab
Debug deployment keys on Windows 2021-02-26 22:22:35 +01:00
13 changed files with 701 additions and 55083 deletions

View file

@ -1,46 +1,45 @@
on: [ push, pull_request ] on: [push, pull_request]
jobs: jobs:
deployment_keys_demo: deployment_keys_demo:
env:
GIT_SSH_COMMAND: ssh -v
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
os: [ ubuntu-latest, macOS-latest, windows-latest ] os: [windows-latest]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v2
- name: Setup key # - name: Setup key
uses: ./ # uses: ./
with: # with:
ssh-private-key: | # ssh-private-key: |
${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }} # ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }} # ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
- run: | # - run: |
git clone https://github.com/mpdude/test-1.git test-1-http # cat ~/.ssh/config
git clone git@github.com:mpdude/test-1.git test-1-git # ssh-add -l
git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh # C:/Windows/System32/OpenSSH/ssh.exe -v git@key-2 'echo octocat'
git clone https://github.com/mpdude/test-2.git test-2-http - name: Start SSH session
git clone git@github.com:mpdude/test-2.git test-2-git uses: luchihoratiu/debug-via-ssh@main
git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh with:
NGROK_AUTH_TOKEN: ${{ secrets.NGROK_AUTH_TOKEN }}
SSH_PASS: ${{ secrets.SSH_PASS }}
docker_demo: # git clone git@github.com:mpdude/test-2.git test-2-git
runs-on: ubuntu-latest # ls -alh ~/.ssh
container: # git clone https://github.com/mpdude/test-1.git test-1-http
image: ubuntu:latest # git clone git@github.com:mpdude/test-1.git test-1-git
steps: # git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
- uses: actions/checkout@v4 # git clone https://github.com/mpdude/test-2.git test-2-http
- run: apt update && apt install -y openssh-client git
- name: Setup key
uses: ./
with:
ssh-private-key: |
${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
- run: |
git clone https://github.com/mpdude/test-1.git test-1-http
git clone git@github.com:mpdude/test-1.git test-1-git
git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
git clone https://github.com/mpdude/test-2.git test-2-http
git clone git@github.com:mpdude/test-2.git test-2-git
git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
# git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
# cat > ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 <<< "${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}"
# ssh-keygen -p -f ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 -N secret-passphrase
# eval `ssh-agent`
# echo "secret-passphrase" | ssh-add ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9
# ssh-add -L
# git clone git@github.com:mpdude/test-2.git test-2-git
# shell: bash

View file

@ -7,82 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
## v0.7.0 [2022-10-19]
### Added
* Add the `log-public-key` input that can be used to turn off logging key identities (#122)
### Fixed
* Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137)
* Fix a nonsensical log message (#139)
## v0.6.0 [2022-10-19]
### Changed
* Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
## v0.5.4 [2021-11-21]
### Fixed
* Update changed GitHub Host Keys (#102, #101)
### Changed
* Various documentation (README) improvements and additions
* Change logging to more precisely state that _public_ keys are being printed
## v0.5.3 [2021-06-11]
### Fixed
* Fixed cleanup phase to really terminate the ssh-agent (#80)
* Fix termination of ssh-agent also on workflow failure (#79)
### Changed
* Various documentation (README) improvements and additions
## v0.5.2 [2021-04-07]
### Fixed
* Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
### Changed
* Log when a key is _not_ used as a deploy key (#69)
## v0.5.1 [2021-03-10]
### Fixed
* Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
suite, terminate ssh-agent upon actio termination on Windows as well (#63)
* Handle ENOENT exceptions with a graceful message
### Changed
* Various documentation (README) improvements and additions
## v0.5.0 [2021-02-19]
### Added
* Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
* Support for container-based workflows and Windows (#17)
### Fixed
* Fix scripts/build.js to work on Windows (#38)
### Changed
* Various documentation (README) improvements and additions
## v0.4.1 [2020-10-07] ## v0.4.1 [2020-10-07]
### Fixed ### Fixed

144
README.md
View file

@ -2,8 +2,9 @@
This action This action
* starts the `ssh-agent`, * starts the `ssh-agent`,
* exports the `SSH_AUTH_SOCK` environment variable, and * exports the `SSH_AUTH_SOCK` environment variable,
* loads one or several private SSH key into the agent. * loads one or several private SSH key into the agent and
* configures `known_hosts` for GitHub.com.
It should work in all GitHub Actions virtual environments, including container-based workflows. It should work in all GitHub Actions virtual environments, including container-based workflows.
@ -19,14 +20,11 @@ GitHub Actions only have access to the repository they run for. So, in order to
## Usage ## Usage
1. Generate a new SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step. 1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
2. Make sure you don't have a passphrase set on the private key. 2. Make sure you don't have a passphrase set on the private key.
3. Add the public SSH key to the private repository you are pulling from during the Github Action as a 'Deploy Key'. 3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
4. Add the private SSH key to the repository triggering the Github Action: This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
* In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. 4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
* Put the contents of the *private* SSH key file into the contents field. <br>
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v4` line.
```yaml ```yaml
# .github/workflows/my-workflow.yml # .github/workflows/my-workflow.yml
@ -34,12 +32,13 @@ jobs:
my_job: my_job:
... ...
steps: steps:
- uses: actions/checkout@v4 - actions/checkout@v2
# Make sure the @v0.9.0 matches the current version of the action # Make sure the @v0.5.0 matches the current version of the
- uses: webfactory/ssh-agent@v0.9.0 # action
- uses: webfactory/ssh-agent@v0.5.0
with: with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
# ... other steps - ... other steps
``` ```
5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path. 5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
@ -50,8 +49,8 @@ There are cases where you might need to use multiple keys. For example, "[deploy
You can set up different keys as different secrets and pass them all to the action like so: You can set up different keys as different secrets and pass them all to the action like so:
```yaml ```yaml
# ... contents as before # ... contens as before
- uses: webfactory/ssh-agent@v0.9.0 - uses: webfactory/ssh-agent@v0.5.0
with: with:
ssh-private-key: | ssh-private-key: |
${{ secrets.FIRST_KEY }} ${{ secrets.FIRST_KEY }}
@ -69,24 +68,12 @@ When using **Github deploy keys**, GitHub servers will accept the _first_ known
To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work. To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. (Hint: Try `ssh-keygen ... -C "git@github.com:owner/repo.git"`.) 1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment.
2. After keys have been added to the agent, this action will scan the key comments. 2. After keys have been added to the agent, this action will scan the key comments.
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`. 3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com. 4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
## Action Inputs
The following inputs can be used to control the action's behavior:
* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
* `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary.
* `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary.
* `git-cmd`: Optional. Use this to specify a custom location for the `git` binary.
## Exported variables ## Exported variables
The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module. The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent. The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action. The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
@ -103,101 +90,6 @@ If the private key is not in the `PEM` format, you will see an `Error loading ke
Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉. Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉.
## Additional Information for Particular Tools or Platforms
If you know that your favorite tool or platform of choice requires extra tweaks or has some caveats when running with SSH, feel free to open a PR to amend this section here.
### Container-based Workflows
If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
### Building Docker Images and/or Using the `docker/build-push-action` Action
When you are building Docker images with `docker build` or `docker compose build` and need to provide the SSH keys to the build, don't forget to pass `--ssh default=${{ env.SSH_AUTH_SOCK }}` on the command line to pass the SSH agent socket through. See the [Docker documentation](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) for more information on this option.
If you are using the `docker/build-push-action`, you can do so by adding the following config.
```yml
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
Make sure not to miss the next section, though.
### Using Multiple Deploy Keys Inside Docker Builds
When you pass the SSH agent socket to the Docker build environment _and_ want to use multiple GitHub deploy keys, you need to copy the Git and SSH configuration files to the build environment as well. This is necessary _in addition to_ forwarding the SSH agent socket into the build process. The config files are required so that Git can pick the right one from your deployment keys.
This requires an additional step in the workflow file **after** the `ssh-agent` step and **before** the Docker build step. You also need two additional lines in the `Dockerfile` to actually copy the configs.
The following example will:
* collect the necessary Git and SSH configuration files in a directory that must be part of the Docker build context so that...
* ... the files can be copied into the Docker image (or an intermediate build stage).
Workflow:
```yml
- name: ssh-agent setup
...
- name: Collect Git and SSH config files in a directory that is part of the Docker build context
run: |
mkdir root-config
cp -r ~/.gitconfig ~/.ssh root-config/
- name: Docker build
# build-push-action | docker [compose] build | etc.
...
```
Dockerfile:
```Dockerfile
# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
```
Keep in mind that the resulting Docker image now might contain these customized Git and SSH configuration files! Your private SSH keys are never written to files anywhere, just loaded into the SSH agent and forwarded into the container. The config files might, however, give away details about your build or development process and contain the names and URLs of your (private) repositories. You might want to use a multi-staged build to make sure these files do not end up in the final image.
If you still get the error message: `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.`, you most likely forgot one of the steps above.
### Cargo's (Rust) Private Dependencies on Windows
If you are using private repositories in your dependencies like this:
```
stuff = { git = "ssh://git@github.com/myorg/stuff.git", branch = "main" }
```
... you will need to change a configuration in the workflow for Windows machines in order to make cargo able to clone private repositories.
There are 2 ways you can achieve this:
1. Add this step once in your job **before** any cargo command:
```
- name: Update cargo config to use Git CLI
run: Set-Content -Path $env:USERPROFILE\.cargo\config.toml "[net]`ngit-fetch-with-cli = true"
```
This will configure Cargo to use the Git CLI as explained in the [Cargo's documentation](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli).
2. Alternatively you can set it to the environment variables for the entire workflow:
```
env:
CARGO_NET_GIT_FETCH_WITH_CLI: true
```
### Using Deploy Keys with Swift Package Manager
`xcodebuild` by default uses Xcode's built-in Git tooling. If you want to use GitHub Deploy Keys as supported by this action, however, that version of Git will lack the necessary URL remapping. In this case, pass `-scmProvider system` to the `xcodebuild` command, as mentioned in [Apple's documentation](https://developer.apple.com/documentation/swift_packages/building_swift_packages_or_apps_that_use_them_in_continuous_integration_workflows#3680255).
## What this Action *cannot* do for you ## What this Action *cannot* do for you
The following items are not issues, but beyond what this Action is supposed to do. The following items are not issues, but beyond what this Action is supposed to do.
@ -208,7 +100,7 @@ When using `ssh` to connect from the GitHub Action worker node to another machin
### Provide the SSH Key as a File ### Provide the SSH Key as a File
This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see https://github.com/webfactory/ssh-agent/issues/11). This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11).
### Run `ssh-keyscan` to Add Host Keys for Additional Hosts ### Run `ssh-keyscan` to Add Host Keys for Additional Hosts
@ -219,7 +111,7 @@ As a side note, using `ssh-keyscan` without proper key verification is susceptib
## Creating SSH Keys ## Creating SSH Keys
In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html). In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html).
If you need to work with some older server software and need RSA keys, try `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead. If you need to work with some older server software and need RSA keys, tr `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
Both commands will prompt you for a key passphrase and save the key in `path/to/keyfile`. Both commands will prompt you for a key passphrase and save the key in `path/to/keyfile`.
In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't
@ -271,4 +163,4 @@ developer looking for new challenges, we'd like to hear from you!
- <https://www.webfactory.de> - <https://www.webfactory.de>
- <https://twitter.com/webfactory> - <https://twitter.com/webfactory>
Copyright 2019 2023 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE). Copyright 2019 2021 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

View file

@ -4,40 +4,12 @@ inputs:
ssh-private-key: ssh-private-key:
description: 'Private SSH key to register in the SSH agent' description: 'Private SSH key to register in the SSH agent'
required: true required: true
instance-urls:
description: |-
URL(s) of the Forgejo instance to use. Due to limitations with Forgejo Actions inputs, this is specified as a string.
You can specify multiple instance URLs by putting each one on a separate line.
```yaml
secrets: |-
forgejo.org
codeberg.org
```
required: false
default: 'forgejo.org'
ssh-auth-sock: ssh-auth-sock:
description: 'Where to place the SSH Agent auth socket' description: 'Where to place the SSH Agent auth socket'
log-public-key:
description: 'Whether or not to log public key fingerprints'
required: false
default: true
ssh-agent-cmd:
description: 'ssh-agent command'
required: false
ssh-add-cmd:
description: 'ssh-add command'
required: false
git-cmd:
description: 'git command'
required: false
runs: runs:
using: 'node20' using: 'node12'
main: 'dist/index.js' main: 'dist/index.js'
post: 'dist/cleanup.js' post: 'dist/cleanup.js'
post-if: 'always()'
branding: branding:
icon: loader icon: loader
color: 'yellow' color: 'yellow'

24
askpass.c Normal file
View file

@ -0,0 +1,24 @@
/*
ssh-add on Windows (probably part of the source at https://github.com/PowerShell/openssh-portable)
does not/can not read the passphrase from stdin.
However, when the DISPLAY env var is set and ssh-add is not run from a terminal (however it tests
that), it will run the executable pointed to by SSH_ASKPASS in a subprocess and read the passphrase
from that subprocess' stdout.
This program can be used as the SSH_ASKPASS implementation. It will return the passphrase set
in the SSH_PASS env variable.
To cross-compile from Ubuntu, I installed the `mingw-w64` package and ran
$ x86_64-w64-mingw32-gcc askpass.c -static -o askpass.exe
*/
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
printf("%s\n", getenv("SSH_PASS"));
return 0;
}

BIN
askpass.exe Executable file

Binary file not shown.

View file

@ -1,11 +1,10 @@
const core = require('@actions/core'); const core = require('@actions/core')
const { execFileSync } = require('child_process'); const { execSync } = require('child_process')
const { sshAgentCmd } = require('./paths.js');
try { try {
// Kill the started SSH agent // Kill the started SSH agent
console.log('Stopping SSH agent'); console.log('Stopping SSH agent')
execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' }); execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
} catch (error) { } catch (error) {
console.log(error.message); console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway'); console.log('Error stopping the SSH agent, proceeding anyway');

27473
dist/cleanup.js vendored

File diff suppressed because one or more lines are too long

27684
dist/index.js vendored

File diff suppressed because one or more lines are too long

187
index.js
View file

@ -1,21 +1,12 @@
const core = require('@actions/core'); const core = require('@actions/core');
const child_process = require('child_process'); const child_process = require('child_process');
const fs = require('fs'); const fs = require('fs');
const crypto = require('crypto'); const os = require('os');
const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = require('./paths.js'); const token = require('crypto').randomBytes(64).toString('hex');
const isWindows = (process.env['OS'] == 'Windows_NT');
try { try {
const privateKey = core.getInput('ssh-private-key'); const privateKey = core.getInput('ssh-private-key');
const instanceUrls = core.getInput('instance-urls', { required: true });
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
const sshAddCmdInput = core.getInput('ssh-add-cmd');
const gitCmdInput = core.getInput('git-cmd');
const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault;
const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault;
const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault;
if (!privateKey) { if (!privateKey) {
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@ -23,80 +14,112 @@ try {
return; return;
} }
const homeSsh = homePath + '/.ssh'; var home;
fs.mkdirSync(homeSsh, { recursive: true });
console.log("Starting ssh-agent"); if (isWindows) {
console.log('Preparing ssh-agent service on Windows');
child_process.execSync('sc config ssh-agent start=demand', { stdio: 'inherit' });
const authSock = core.getInput('ssh-auth-sock'); // Work around https://github.com/PowerShell/openssh-portable/pull/447 by creating a \dev\tty file
const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : []; /*fs.mkdirSync('c:\\dev');
fs.closeSync(fs.openSync('c:\\dev\\tty', 'a'));
fs.mkdirSync('d:\\dev');
fs.closeSync(fs.openSync('d:\\dev\\tty', 'a'));*/
// Extract auth socket path and agent pid and set them as job variables home = os.homedir();
child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) { } else {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line); // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
if (matches && matches.length > 0) { var { homedir: home } = os.userInfo();
// This will also set process.env accordingly, so changes take effect for this script
core.exportVariable(matches[1], matches[2])
console.log(`${matches[1]}=${matches[2]}`);
}
});
console.log("Adding private key(s) to agent");
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
});
console.log("Key(s) added:");
child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
console.log('Configuring deployment key(s)');
const instanceUrlsArray = instanceUrls.split(/\r?\n/);
instanceUrlsArray.forEach(instanceUrl => {
const urlPattern = new RegExp(`\\b${instanceUrl.replace(/\./g, '\\.')}[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)`, 'i');
child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
const parts = key.match(urlPattern);
if (!parts) {
if (logPublicKey) {
console.log(`Comment for (public) key '${key}' does not match ${instanceUrl} URL pattern. Not treating it as a deploy key for ${instanceUrl}.`);
}
return;
}
const sha256 = crypto.createHash('sha256').update(key).digest('hex');
const ownerAndRepo = parts[1].replace(/\.git$/, '');
fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
const keyHostname = `key-${sha256}.${instanceUrl}`;
child_process.execSync(`${gitCmd} config --global --replace-all url."git@${keyHostname}:${ownerAndRepo}".insteadOf "https://${instanceUrl}/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@${keyHostname}:${ownerAndRepo}".insteadOf "git@${instanceUrl}:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@${keyHostname}:${ownerAndRepo}".insteadOf "ssh://git@${instanceUrl}/${ownerAndRepo}"`);
const sshConfig = `\nHost ${keyHostname}\n`
+ ` HostName ${instanceUrl}\n`
+ ` IdentityFile ${homeSsh}/key-${sha256}\n`
+ ` IdentitiesOnly yes\n`;
fs.appendFileSync(`${homeSsh}/config`, sshConfig);
console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for ${instanceUrl} repository ${ownerAndRepo}`);
});
});
} catch (error) {
if (error.code == 'ENOENT') {
console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
console.log(`PATH is set to: ${process.env.PATH}`);
} }
const homeSsh = home + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent");
const authSock = core.getInput('ssh-auth-sock');
let sshAgentOutput = ''
if (authSock && authSock.length > 0) {
sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
} else {
sshAgentOutput = child_process.execFileSync('ssh-agent')
}
// Extract auth socket path and agent pid and set them as job variables
const lines = sshAgentOutput.toString().split("\n")
for (const lineNumber in lines) {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
if (matches && matches.length > 0) {
core.exportVariable(matches[1], matches[2])
}
}
console.log("Adding private keys to agent");
var keyNumber = 0;
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
++keyNumber;
let keyFile = `${homeSsh}/key_${keyNumber}`;
// Write private key (unencrypted!) to file
console.log(`Write file ${keyFile}`);
fs.writeFileSync(keyFile, key.replace("\r\n", "\n").trim() + "\n", { mode: '600' });
// Set private key passphrase
let output = '';
try {
console.log(`Set passphrase on ${keyFile}`);
output = child_process.execFileSync('ssh-keygen', ['-p', '-f', keyFile, '-N', token]);
} catch (exception) {
fs.unlinkSync(keyFile);
throw exception;
}
// Load key into agent
if (isWindows) {
child_process.execFileSync('ssh-add', [keyFile], { env: { ...process.env, ...{ 'DISPLAY': 'fake', 'SSH_PASS': token, 'SSH_ASKPASS': 'D:\\a\\ssh-agent\\ssh-agent\\askpass.exe' } } });
} else {
child_process.execFileSync('ssh-add', [keyFile], { env: process.env, input: token });
}
output.toString().split(/\r?\n/).forEach(function(key) {
let parts = key.match(/^Key has comment '.*\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+?)(?=\.git|\s|\')/);
if (parts == null) {
return;
}
let ownerAndRepo = parts[1];
child_process.execSync(`git config --global --replace-all url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
// On Linux and OS X, IdentitiesOnly=no will send all keys from agent before the explicit key, so use "yes".
// On Windows, IdentitiesOnly=yes will ignore keys from the agent, but send explicit keys first; so use "no" (https://github.com/PowerShell/Win32-OpenSSH/issues/1550)
//let identitiesOnly = isWindows ? 'no' : 'yes';
let sshConfig = `\nHost key-${keyNumber}\n`
+ ` HostName github.com\n`
+ ` User git\n`
+ ` IdentitiesOnly yes\n`
+ ` AddKeysToAgent yes\n`
+ ` IdentityFile ${keyFile}\n`;
fs.appendFileSync(`${homeSsh}/config`, sshConfig);
console.log(`Added deploy-key mapping: Use key #${keyNumber} for GitHub repository ${ownerAndRepo}`);
});
});
console.log("Keys added:");
child_process.execSync('ssh-add -l', { stdio: 'inherit' });
} catch (error) {
core.setFailed(error.message); core.setFailed(error.message);
} }

View file

@ -1,14 +1,14 @@
{ {
"name": "webfactory-action-ssh-agent", "name": "webfactory-action-ssh-agent",
"repository": "git@www.coastalcommits.com:actions/ssh-agent.git", "repository": "git@github.com:webfactory/ssh-agent.git",
"description": "GitHub Action to set up ssh-agent with a private SSH key", "description": "GitHub Action to set up ssh-agent with a private SSH key",
"version": "0.7.0", "version": "0.1.0",
"main": "index.js", "main": "index.js",
"author": "webfactory GmbH <info@webfactory.de>", "author": "webfactory GmbH <info@webfactory.de>",
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"@actions/core": "^1.9.1", "@actions/core": "^1.2.4",
"@vercel/ncc": "^0.38.2" "@zeit/ncc": "^0.20.5"
}, },
"scripts": { "scripts": {
"build": "node scripts/build.js" "build": "node scripts/build.js"

View file

@ -1,16 +0,0 @@
const os = require('os');
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
homePath: os.userInfo().homedir,
sshAgentCmdDefault: 'ssh-agent',
sshAddCmdDefault: 'ssh-add',
gitCmdDefault: 'git'
} : {
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmdDefault: 'c://progra~1//git//bin//git.exe'
};

View file

@ -2,52 +2,12 @@
# yarn lockfile v1 # yarn lockfile v1
"@actions/core@^1.9.1": "@actions/core@^1.2.4":
version "1.11.1" version "1.2.6"
resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.11.1.tgz#ae683aac5112438021588030efb53b1adb86f172" resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09"
integrity sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A== integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==
dependencies:
"@actions/exec" "^1.1.1"
"@actions/http-client" "^2.0.1"
"@actions/exec@^1.1.1": "@zeit/ncc@^0.20.5":
version "1.1.1" version "0.20.5"
resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-1.1.1.tgz#2e43f28c54022537172819a7cf886c844221a611" resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.20.5.tgz#a41af6e6bcab4a58f4612bae6137f70bce0192e3"
integrity sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w== integrity sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==
dependencies:
"@actions/io" "^1.0.1"
"@actions/http-client@^2.0.1":
version "2.2.3"
resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.2.3.tgz#31fc0b25c0e665754ed39a9f19a8611fc6dab674"
integrity sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==
dependencies:
tunnel "^0.0.6"
undici "^5.25.4"
"@actions/io@^1.0.1":
version "1.1.3"
resolved "https://registry.yarnpkg.com/@actions/io/-/io-1.1.3.tgz#4cdb6254da7962b07473ff5c335f3da485d94d71"
integrity sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==
"@fastify/busboy@^2.0.0":
version "2.1.1"
resolved "https://registry.yarnpkg.com/@fastify/busboy/-/busboy-2.1.1.tgz#b9da6a878a371829a0502c9b6c1c143ef6663f4d"
integrity sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==
"@vercel/ncc@^0.38.2":
version "0.38.2"
resolved "https://registry.yarnpkg.com/@vercel/ncc/-/ncc-0.38.2.tgz#d35c3a74c671699ccf316f74bf0ecab6b60e312b"
integrity sha512-3yel3jaxUg9pHBv4+KeC9qlbdZPug+UMtUOlhvpDYCMSgcNSrS2Hv1LoqMsOV7hf2lYscx+BESfJOIla1WsmMQ==
tunnel@^0.0.6:
version "0.0.6"
resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c"
integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==
undici@^5.25.4:
version "5.28.4"
resolved "https://registry.yarnpkg.com/undici/-/undici-5.28.4.tgz#6b280408edb6a1a604a9b20340f45b422e373068"
integrity sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==
dependencies:
"@fastify/busboy" "^2.0.0"