Windows virtual environment: Use SSH binaries from the Git suite (#63)

* Use SSH binaries from the Git suite

* Try to kill the ssh-agent upon action termination on Windows as well

.github/workflows/demo.yml

@@ -1,31 +1,46 @@
-on: [push, pull_request]
+on: [ push, pull_request ]
 
 jobs:
-    single_key_demo:
+    deployment_keys_demo:
         strategy:
+            fail-fast: false
             matrix:
-                os: [ubuntu-latest, macOS-latest]
+                os: [ ubuntu-latest, macOS-latest, windows-latest ]
         runs-on: ${{ matrix.os }}
         steps:
-            - uses: actions/checkout@v1
-            - name: Setup key
-              uses: ./
-              with:
-                  ssh-private-key: |
-                    ${{ secrets.DEMO_KEY }}
-                    ${{ secrets.DEMO_KEY_2 }}
+            -   uses: actions/checkout@v2
+            -   name: Setup key
+                uses: ./
+                with:
+                    ssh-private-key: |
+                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
+                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
+            -   run: |
+                    git clone https://github.com/mpdude/test-1.git test-1-http
+                    git clone git@github.com:mpdude/test-1.git test-1-git
+                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
+                    git clone https://github.com/mpdude/test-2.git test-2-http
+                    git clone git@github.com:mpdude/test-2.git test-2-git
+                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
 
-    multiple_keys_demo:
-        strategy:
-            matrix:
-                os: [ubuntu-latest, macOS-latest]
-        runs-on: ${{ matrix.os }}
+    docker_demo:
+        runs-on: ubuntu-latest
+        container:
+            image: ubuntu:latest
         steps:
-            - uses: actions/checkout@v1
-            - name: Setup key
-              uses: ./
-              with:
-                  ssh-private-key: ${{ secrets.DEMO_KEY }}
-              
-              
+            -   uses: actions/checkout@v2
+            -   run: apt update && apt install -y openssh-client git
+            -   name: Setup key
+                uses: ./
+                with:
+                    ssh-private-key: |
+                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
+                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
+            -   run: |
+                    git clone https://github.com/mpdude/test-1.git test-1-http
+                    git clone git@github.com:mpdude/test-1.git test-1-git
+                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
+                    git clone https://github.com/mpdude/test-2.git test-2-http
+                    git clone git@github.com:mpdude/test-2.git test-2-git
+                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
 

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v0.4.1 [2020-10-07]
+
+### Fixed
+
+* This action no longer relies on `set-env`, which has been deprecated.
+
 ## v0.4.0
 
 ### Changed

README.md

@@ -3,9 +3,15 @@
 This action 
 * starts the `ssh-agent`, 
 * exports the `SSH_AUTH_SOCK` environment variable, 
-* loads a private SSH key into the agent and
+* loads one or several private SSH key into the agent and
 * configures `known_hosts` for GitHub.com.
 
+It should work in all GitHub Actions virtual environments, including container-based workflows. 
+
+Windows and Docker support is, however, somewhat new. Since we have little feedback from the field, things might not run so smooth for you as we'd hope. If Windows and/or Docker-based workflows work well for you, leave a :+1: at https://github.com/webfactory/ssh-agent/pull/17.
+
+Also, using multiple GitHub deployment keys is supported; keys are mapped to repositories by using SSH key comments (see below).
+
 ## Why?
 
 When running a GitHub Action workflow to stage your project, run tests or build images, you might need to fetch additional libraries or _vendors_ from private repositories.
@@ -18,7 +24,7 @@ GitHub Actions only have access to the repository they run for. So, in order to
 2. Make sure you don't have a passphrase set on the private key.
 3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
   This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 
-4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v1` line.
+4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
 
 ```yaml
 # .github/workflows/my-workflow.yml
@@ -26,17 +32,17 @@ jobs:
     my_job:
         ...
         steps:
-            - actions/checkout@v1
-            # Make sure the @v0.4.1 matches the current version of the
+            - actions/checkout@v2
+            # Make sure the @v0.5.1 matches the current version of the
             # action 
-            - uses: webfactory/ssh-agent@v0.4.1
+            - uses: webfactory/ssh-agent@v0.5.1
               with:
                   ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
             - ... other steps
 ```
 5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
 
-### Using multiple keys
+### Using Multiple Keys
 
 There are cases where you might need to use multiple keys. For example, "[deploy keys](https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys)" might be limited to a single repository, so you'll need several of them.
 
@@ -44,7 +50,7 @@ You can set up different keys as different secrets and pass them all to the acti
 
 ```yaml
 # ... contens as before
-            - uses: webfactory/ssh-agent@v0.4.1
+            - uses: webfactory/ssh-agent@v0.5.1
               with:
                   ssh-private-key: |
                         ${{ secrets.FIRST_KEY }}
@@ -54,53 +60,91 @@ You can set up different keys as different secrets and pass them all to the acti
 
 The `ssh-agent` will load all of the keys and try each one in order when establishing SSH connections.
 
-There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have
-six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. 
+There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. But when you're using GitHub Deploy Keys, read on!
 
-Also, when using **Github deploy keys**, GitHub servers will accept the first known key. But since deploy keys are scoped to a single repository, you might get the error message `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.` if the wrong key/repository combination is tried.
+### Support for GitHub Deploy Keys
 
-In both cases, you might want to [try a wrapper script around `ssh`](https://gist.github.com/mpdude/e56fcae5bc541b95187fa764aafb5e6d) that can pick the right key, based on key comments. See [our blog post](https://www.webfactory.de/blog/using-multiple-ssh-deploy-keys-with-github) for the full story.
+When using **Github deploy keys**, GitHub servers will accept the _first_ known key. But since deploy keys are scoped to a single repository, this might not be the key needed to access a particular repository. Thus, you will get the error message `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.` if the wrong key/repository combination is tried.
+
+To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
+
+1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment.
+2. After keys have been added to the agent, this action will scan the key comments. 
+3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
+4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
 
 ## Exported variables
 The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
 The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
 The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
 
-## Known issues and limitations
+## Known Issues and Limitations
 
-### Currently OS X and Linux only
-
-This action has not been tested for the Windows virtual environment. If you can provide the steps necessary to setup (even install?) OpenSSH on the Windows machine, please open an issue. 
-
-### Works for the current job only
+### Works for the Current Job Only
 
 Since each job [runs in a fresh instance](https://help.github.com/en/articles/about-github-actions#job) of the virtual environment, the SSH key will only be available in the job where this action has been referenced. You can, of course, add the action in multiple jobs or even workflows. All instances can use the same `SSH_PRIVATE_KEY` secret.
 
-### SSH private key format
+### SSH Private Key Format
 
 If the private key is not in the `PEM` format, you will see an `Error loading key "(stdin)": invalid format` message.
 
 Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉.
 
+## Additional Information for Particular Tools or Platforms
+
+If you know that your favorite tool or platform of choice requires extra tweaks or has some caveats when running with SSH, feel free to open a PR to amend this section here.
+
+### Container-based Workflows
+
+If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
+
+### Cargo's (Rust) Private Dependencies on Windows
+
+If you are using private repositories in your dependencies like this:
+
+```
+stuff = { git = "ssh://git@github.com/myorg/stuff.git", branch = "main" }
+```
+
+... you will need to change a configuration in the workflow for Windows machines in order to make cargo able to clone private repositories.
+
+There are 2 ways you can achieve this:
+
+1. Add this step once in your job **before** any cargo command:
+
+```
+      - name: Update cargo config to use Git CLI
+        run: Set-Content -Path $env:USERPROFILE\.cargo\config.toml "[net]`ngit-fetch-with-cli = true"
+```
+
+This will configure Cargo to use the Git CLI as explained in the [Cargo's documentation](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli).
+
+2. Alternatively you can set it to the environment variables for the entire workflow:
+
+```
+env:
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+```
+
 ## What this Action *cannot* do for you
 
 The following items are not issues, but beyond what this Action is supposed to do.
 
-### Work on remote machines
+### Work on Remote Machines
 
 When using `ssh` to connect from the GitHub Action worker node to another machine, you *can* forward the SSH Agent socket and use your private key on the other (remote) machine. However, this Action will not configure `known_hosts` or other SSH settings on the remote machine for you.
 
-### Provide the SSH key as a file
+### Provide the SSH Key as a File
 
 This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11).
 
-### Run `ssh-keyscan` to add host keys for additional hosts
+### Run `ssh-keyscan` to Add Host Keys for Additional Hosts
 
 If you want to use `ssh-keyscan` to add additional hosts (that you own/know) to the `known_hosts` file, you can do so with a single shell line in your Action definition. You don't really need this Action to do this for you.
 
 As a side note, using `ssh-keyscan` without proper key verification is susceptible to man-in-the-middle attacks. You might prefer putting your _known_ SSH host key in your own Action files to add it to the `known_hosts` file. The SSH host key is not secret and can safely be committed into the repo. 
 
-## Creating SSH keys
+## Creating SSH Keys
 
 In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html). 
 If you need to work with some older server software and need RSA keys, tr `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
@@ -109,7 +153,7 @@ Both commands will prompt you for a key passphrase and save the key in `path/to/
 In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't 
 specify a passphrase: The key must be usable without reading the passphrase from input. Since the key itself is stored using GitHub's "Secret" feature, it should be fairly safe anyway.
 
-## Authorizing a key
+## Authorizing a Key
 
 To actually grant the SSH key access, you can – on GitHub – use at least two ways:
 
@@ -124,7 +168,24 @@ As a note to my future self, in order to work on this repo:
 * Clone it
 * Run `yarn install` to fetch dependencies
 * _hack hack hack_
-* `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased. Use `env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js` for this action.
+* `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased.
+
+  On *nix use:
+  ```bash
+  env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js
+  ```
+
+  On Windows (cmd):
+  ```cmd
+  set /P INPUT_SSH-PRIVATE-KEY=< file
+  node index.js
+  ```
+
+  On Windows (PowerShell):
+  ```ps
+  ${env:INPUT_SSH-PRIVATE-KEY} = (Get-Content .\test-keys -Raw); node index.js
+  node index.js
+  ```
 * Run `npm run build` to update `dist/*`, which holds the files actually run
 * Read https://help.github.com/en/articles/creating-a-javascript-action if unsure.
 * Maybe update the README example when publishing a new version.
@@ -138,4 +199,4 @@ developer looking for new challenges, we'd like to hear from you!
 - <https://www.webfactory.de>
 - <https://twitter.com/webfactory>
 
-Copyright 2019 – 2020 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
+Copyright 2019 – 2021 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

cleanup.js

@@ -1,10 +1,12 @@
-const core = require('@actions/core')
-const { execSync } = require('child_process')
+const core = require('@actions/core');
+const { execSync } = require('child_process');
+const { sshAgent } = require('./paths.js');
 
 try {
     // Kill the started SSH agent
-    console.log('Stopping SSH agent')
-    execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
+    console.log('Stopping SSH agent');
+    execSync(sshAgent, ['-k'], { stdio: 'inherit' });
+
 } catch (error) {
     console.log(error.message);
     console.log('Error stopping the SSH agent, proceeding anyway');

dist/cleanup.js

@@ -122,13 +122,15 @@ module.exports = require("child_process");
 /***/ 175:
 /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
 
-const core = __webpack_require__(470)
-const { execSync } = __webpack_require__(129)
+const core = __webpack_require__(470);
+const { execSync } = __webpack_require__(129);
+const { sshAgent } = __webpack_require__(972);
 
 try {
     // Kill the started SSH agent
-    console.log('Stopping SSH agent')
-    execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
+    console.log('Stopping SSH agent');
+    execSync(sshAgent, ['-k'], { stdio: 'inherit' });
+
 } catch (error) {
     console.log(error.message);
     console.log('Error stopping the SSH agent, proceeding anyway');
@@ -480,6 +482,31 @@ module.exports = require("path");
 
 module.exports = require("fs");
 
+/***/ }),
+
+/***/ 972:
+/***/ (function(module, __unusedexports, __webpack_require__) {
+
+const os = __webpack_require__(87);
+
+module.exports = (process.env['OS'] != 'Windows_NT') ? {
+
+    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
+    // Action runs, where $HOME is different from the pwent
+    home: os.userInfo().homedir,
+    sshAgent: 'ssh-agent',
+    sshAdd: 'ssh-add'
+
+} : {
+
+    home: os.homedir(),
+    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
+    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
+
+};
+
+
+
 /***/ })
 
 /******/ });

dist/index.js

@@ -118,12 +118,10 @@ exports.issueCommand = issueCommand;
 const core = __webpack_require__(470);
 const child_process = __webpack_require__(129);
 const fs = __webpack_require__(747);
+const crypto = __webpack_require__(417);
+const { home, sshAgent, sshAdd } = __webpack_require__(972);
 
 try {
-
-    const home = process.env['HOME'];
-    const homeSsh = home + '/.ssh';
-
     const privateKey = core.getInput('ssh-private-key');
 
     if (!privateKey) {
@@ -132,38 +130,75 @@ try {
         return;
     }
 
+    const homeSsh = home + '/.ssh';
+
     console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
+
     fs.mkdirSync(homeSsh, { recursive: true });
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
 
     console.log("Starting ssh-agent");
+
     const authSock = core.getInput('ssh-auth-sock');
-    let sshAgentOutput = ''
-    if (authSock && authSock.length > 0) {
-        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
-    } else {
-        sshAgentOutput = child_process.execFileSync('ssh-agent')
-    }
+    const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
 
     // Extract auth socket path and agent pid and set them as job variables
-    const lines = sshAgentOutput.toString().split("\n")
-    for (const lineNumber in lines) {
-        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
-        if (matches && matches.length > 0) {
-            core.exportVariable(matches[1], matches[2])
-        }
-    }
+    child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
 
-    console.log("Adding private key to agent");
-    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
-        child_process.execSync('ssh-add -', { input: key.trim() + "\n" });
+        if (matches && matches.length > 0) {
+            // This will also set process.env accordingly, so changes take effect for this script
+            core.exportVariable(matches[1], matches[2])
+            console.log(`${matches[1]}=${matches[2]}`);
+        }
     });
 
-    console.log("Keys added:");
-    child_process.execSync('ssh-add -l', { stdio: 'inherit' });
+    console.log("Adding private key(s) to agent");
+
+    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
+        child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
+    });
+
+    console.log("Key(s) added:");
+
+    child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
+
+    console.log('Configuring deployment key(s)');
+
+    child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
+        const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/);
+
+        if (!parts) {
+            return;
+        }
+
+        const sha256 = crypto.createHash('sha256').update(key).digest('hex');
+        const ownerAndRepo = parts[1].replace(/\.git$/, '');
+
+        fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
+
+        child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
+        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
+        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
+
+        const sshConfig = `\nHost key-${sha256}.github.com\n`
+                              + `    HostName github.com\n`
+                              + `    IdentityFile ${homeSsh}/key-${sha256}\n`
+                              + `    IdentitiesOnly yes\n`;
+
+        fs.appendFileSync(`${homeSsh}/config`, sshConfig);
+
+        console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for GitHub repository ${ownerAndRepo}`);
+    });
 
 } catch (error) {
+
+    if (error.code == 'ENOENT') {
+        console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
+        console.log(`PATH is set to: ${process.env.PATH}`);
+    }
+
     core.setFailed(error.message);
 }
 
@@ -177,6 +212,13 @@ module.exports = require("child_process");
 
 /***/ }),
 
+/***/ 417:
+/***/ (function(module) {
+
+module.exports = require("crypto");
+
+/***/ }),
+
 /***/ 431:
 /***/ (function(__unusedmodule, exports, __webpack_require__) {
 
@@ -520,6 +562,31 @@ module.exports = require("path");
 
 module.exports = require("fs");
 
+/***/ }),
+
+/***/ 972:
+/***/ (function(module, __unusedexports, __webpack_require__) {
+
+const os = __webpack_require__(87);
+
+module.exports = (process.env['OS'] != 'Windows_NT') ? {
+
+    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
+    // Action runs, where $HOME is different from the pwent
+    home: os.userInfo().homedir,
+    sshAgent: 'ssh-agent',
+    sshAdd: 'ssh-add'
+
+} : {
+
+    home: os.homedir(),
+    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
+    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
+
+};
+
+
+
 /***/ })
 
 /******/ });

index.js

@@ -1,12 +1,10 @@
 const core = require('@actions/core');
 const child_process = require('child_process');
 const fs = require('fs');
+const crypto = require('crypto');
+const { home, sshAgent, sshAdd } = require('./paths.js');
 
 try {
-
-    const home = process.env['HOME'];
-    const homeSsh = home + '/.ssh';
-
     const privateKey = core.getInput('ssh-private-key');
 
     if (!privateKey) {
@@ -15,37 +13,74 @@ try {
         return;
     }
 
+    const homeSsh = home + '/.ssh';
+
     console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
+
     fs.mkdirSync(homeSsh, { recursive: true });
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
 
     console.log("Starting ssh-agent");
+
     const authSock = core.getInput('ssh-auth-sock');
-    let sshAgentOutput = ''
-    if (authSock && authSock.length > 0) {
-        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
-    } else {
-        sshAgentOutput = child_process.execFileSync('ssh-agent')
-    }
+    const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
 
     // Extract auth socket path and agent pid and set them as job variables
-    const lines = sshAgentOutput.toString().split("\n")
-    for (const lineNumber in lines) {
-        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
-        if (matches && matches.length > 0) {
-            core.exportVariable(matches[1], matches[2])
-        }
-    }
+    child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
 
-    console.log("Adding private key to agent");
-    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
-        child_process.execSync('ssh-add -', { input: key.trim() + "\n" });
+        if (matches && matches.length > 0) {
+            // This will also set process.env accordingly, so changes take effect for this script
+            core.exportVariable(matches[1], matches[2])
+            console.log(`${matches[1]}=${matches[2]}`);
+        }
     });
 
-    console.log("Keys added:");
-    child_process.execSync('ssh-add -l', { stdio: 'inherit' });
+    console.log("Adding private key(s) to agent");
+
+    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
+        child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
+    });
+
+    console.log("Key(s) added:");
+
+    child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
+
+    console.log('Configuring deployment key(s)');
+
+    child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
+        const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/);
+
+        if (!parts) {
+            return;
+        }
+
+        const sha256 = crypto.createHash('sha256').update(key).digest('hex');
+        const ownerAndRepo = parts[1].replace(/\.git$/, '');
+
+        fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
+
+        child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
+        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
+        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
+
+        const sshConfig = `\nHost key-${sha256}.github.com\n`
+                              + `    HostName github.com\n`
+                              + `    IdentityFile ${homeSsh}/key-${sha256}\n`
+                              + `    IdentitiesOnly yes\n`;
+
+        fs.appendFileSync(`${homeSsh}/config`, sshConfig);
+
+        console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for GitHub repository ${ownerAndRepo}`);
+    });
 
 } catch (error) {
+
+    if (error.code == 'ENOENT') {
+        console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
+        console.log(`PATH is set to: ${process.env.PATH}`);
+    }
+
     core.setFailed(error.message);
 }

paths.js

@@ -0,0 +1,18 @@
+const os = require('os');
+
+module.exports = (process.env['OS'] != 'Windows_NT') ? {
+
+    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
+    // Action runs, where $HOME is different from the pwent
+    home: os.userInfo().homedir,
+    sshAgent: 'ssh-agent',
+    sshAdd: 'ssh-add'
+
+} : {
+
+    home: os.homedir(),
+    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
+    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
+
+};
+

scripts/build.js

@@ -1,6 +1,7 @@
 const { execSync } = require('child_process')
 const path = require('path')
 const fs = require('fs')
+const process = require('process')
 
 const buildDir = path.join(process.cwd(), 'build')
 const distDir = path.join(process.cwd(), 'dist')
@@ -9,13 +10,18 @@ const buildIndexJs = path.join(buildDir, 'index.js')
 const distIndexJs = path.join(distDir, 'index.js')
 const distCleanupJs = path.join(distDir, 'cleanup.js')
 
+var ncc = `./node_modules/.bin/ncc`;
+if (process.platform === "win32") {
+    ncc = `.\\node_modules\\.bin\\ncc.cmd`;
+}
+
 if (!fs.existsSync(buildDir)) {
     fs.mkdirSync(buildDir)
 }
 
 // Build the main index.js file
 console.log('Building index.js...')
-execSync(`./node_modules/.bin/ncc build index.js -q -o ${buildDir}`)
+execSync(`${ncc} build index.js -q -o ${buildDir}`)
 if (fs.existsSync(distIndexJs)) {
     fs.unlinkSync(distIndexJs)
 }
@@ -23,7 +29,7 @@ fs.renameSync(buildIndexJs, distIndexJs)
 
 // Build the cleanup.js file
 console.log('Building cleanup.js...')
-execSync(`./node_modules/.bin/ncc build cleanup.js -q -o ${buildDir}`)
+execSync(`${ncc} build cleanup.js -q -o ${buildDir}`)
 if (fs.existsSync(distCleanupJs)) {
     fs.unlinkSync(distCleanupJs)
 }

wrapper/ssh-deploy-key-wrapper.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# The last argument is the command to be executed on the remote end, which is something
-# like "git-upload-pack 'webfactory/ssh-agent.git'". We need the repo path only, so we
-# loop over this last argument to get the last part of if.
-for last in ${!#}; do :; done
-
-# Don't use "exec" to run "ssh" below; then the trap won't work.
-key_file=$(mktemp -u)
-trap "rm -f $key_file" EXIT
-
-eval last=$last
-
-# Try to pick the right key
-ssh-add -L | grep --word-regexp --max-count=1 $last > $key_file
-
-ssh -i $key_file "$@"