#!/usr/bin/env bash function SetupSshAgent() { # Check to see if a SSH_KEY_SECRET was passed if [ -n "${SSH_KEY:-}" ]; then info "--------------------------------------------" info "SSH key found, setting up agent..." export SSH_AUTH_SOCK=/tmp/ssh_agent.sock ssh-agent -a "${SSH_AUTH_SOCK}" >/dev/null ssh-add - <<<"${SSH_KEY}" 2>/dev/null fi } function GetGitHubSshRsaKeyFingerprint() { local GET_SSH_RSA_KEY_FINGERPRINT_CMD if ! GET_SSH_RSA_KEY_FINGERPRINT_CMD=$( curl -f -s --show-error -X GET \ --url "${GITHUB_META_URL}" \ -H 'Accept: application/vnd.github.v3+json' \ -H "Authorization: Bearer ${GITHUB_TOKEN}" \ -H "X-GitHub-Api-Version: 2022-11-28" 2>&1 ); then fatal "Failed to get GitHub RSA key fingerprint from ${GITHUB_META_URL}: ${GET_SSH_RSA_KEY_FINGERPRINT_CMD}" fi local SSH_RSA_KEY_FINGERPRINT SSH_RSA_KEY_FINGERPRINT="SHA256:$(jq -r '.ssh_key_fingerprints.SHA256_RSA' <<<"${GET_SSH_RSA_KEY_FINGERPRINT_CMD}")" echo "${SSH_RSA_KEY_FINGERPRINT}" } export -f GetGitHubSshRsaKeyFingerprint function SetupGithubComSshKeys() { if [[ -n "${SSH_KEY:-}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then info "Adding ${GITHUB_DOMAIN} SSH keys" # Fetched out of band from # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints GITHUB_RSA_FINGERPRINT="$(GetGitHubSshRsaKeyFingerprint)" debug "${GITHUB_DOMAIN} key RSA key fingerprint: ${GITHUB_RSA_FINGERPRINT}" ssh-keyscan -t rsa "${GITHUB_DOMAIN}" >/tmp/github.pub 2>/dev/null if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then warn "Skipping ${GITHUB_DOMAIN} key verification and adding without checking fingerprint" mkdir -p ~/.ssh cat /tmp/github.pub >>~/.ssh/known_hosts elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "3072 ${GITHUB_RSA_FINGERPRINT} ${GITHUB_DOMAIN} (RSA)" ]]; then info "Successfully verified ${GITHUB_DOMAIN} key" mkdir -p ~/.ssh cat /tmp/github.pub >>~/.ssh/known_hosts else error "Could not verify ${GITHUB_DOMAIN} key. SSH requests to ${GITHUB_DOMAIN} will likely fail." fi fi }