Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27)

Thanks to @thommyhh for this contribution!

Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners.

A new post-action step will automatically clean up the running agent at the end of a job.

Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts.

.github/workflows/demo.yml

@@ -1,7 +1,21 @@
 on: [push, pull_request]
 
 jobs:
-    load_key_demo:
+    single_key_demo:
+        strategy:
+            matrix:
+                os: [ubuntu-latest, macOS-latest]
+        runs-on: ${{ matrix.os }}
+        steps:
+            - uses: actions/checkout@v1
+            - name: Setup key
+              uses: ./
+              with:
+                  ssh-private-key: |
+                    ${{ secrets.DEMO_KEY }}
+                    ${{ secrets.DEMO_KEY_2 }}
+
+    multiple_keys_demo:
         strategy:
             matrix:
                 os: [ubuntu-latest, macOS-latest]
@@ -12,8 +26,6 @@ jobs:
               uses: ./
               with:
                   ssh-private-key: ${{ secrets.DEMO_KEY }}
-            - run: |
-                ssh-add -l
-                echo SSH_AUTH_SOCK is at $SSH_AUTH_SOCK
-
+              
+              
 

CHANGELOG.md

@@ -0,0 +1,18 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## v0.2.0
+
+### Added
+
+* Multiple SSH keys can now be provided (#14, closes #7). Thanks to
+  @webknjaz and @bradmartin for support and tests.
+
+* Catch empty ssh-private-key input values and exit with a helpful
+  error message right away.

README.md

@@ -15,10 +15,10 @@ GitHub Actions only have access to the repository they run for. So, in order to
 ## Usage
 
 1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
-2. In your repository, go to the *Settings > Secrets* menu and create a new secret called `SSH_PRIVATE_KEY`. Put the *unencrypted private* SSH key in `PEM` format into the contents field. <br>
-  This key should start with `-----BEGIN RSA PRIVATE KEY-----`, consist of many lines and ends with `-----END RSA PRIVATE KEY-----`. 
-  You can just copy the key as-is from the private key file.
-3. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v1` line.
+2. Make sure you don't have a passphrase set on the private key.
+3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
+  This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 
+4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v1` line.
 
 ```yaml
 # .github/workflows/my-workflow.yml
@@ -27,12 +27,40 @@ jobs:
         ...
         steps:
             - actions/checkout@v1
-            - uses: webfactory/ssh-agent@v0.1
+            # Make sure the @v0.2.0 matches the current version of the
+            # action 
+            - uses: webfactory/ssh-agent@v0.2.0
               with:
                   ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
             - ... other steps
 ```
-4. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
+5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
+
+### Using multiple keys
+
+There are cases where you might need to use multiple keys. For example, "deployment keys" might be limited to a single repository each.
+
+In that case, you can set-up the different keys as multiple secrets and pass them all to the action like so:
+
+```yaml
+# ... contens as before
+            - uses: webfactory/ssh-agent@v0.2.0
+              with:
+                  ssh-private-key: |
+                        ${{ secrets.FIRST_KEY }}
+                        ${{ secrets.NEXT_KEY }}
+                        ${{ secrets.ANOTHER_KEY }}
+```
+
+The `ssh-agent` will load all of the keys and try each one in order when establishing SSH connections.
+
+There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have
+six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried.
+
+## Exported variables
+The action exports `SSH_AUTH_SOCK` and `SSH_AGENT_PID` through the Github Actions core module.
+The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
+The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
 
 ## Known issues and limitations
 
@@ -50,13 +78,32 @@ If the private key is not in the `PEM` format, you will see an `Error loading ke
 
 Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉.
 
+## What this Action *cannot* do for you
+
+The following items are not issues, but beyond what this Action is supposed to do.
+
+### Work on remote machines
+
+When using `ssh` to connect from the GitHub Action worker node to another machine, you *can* forward the SSH Agent socket and use your private key on the other (remote) machine. However, this Action will not configure `known_hosts` or other SSH settings on the remote machine for you.
+
+### Provide the SSH key as a file
+
+This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11).
+
+### Run `ssh-keyscan` to add host keys for additional hosts
+
+If you want to use `ssh-keyscan` to add additional hosts (that you own/know) to the `known_hosts` file, you can do so with a single shell line in your Action definition. You don't really need this Action to do this for you.
+
+As a side note, using `ssh-keyscan` without proper key verification is susceptible to man-in-the-middle attacks. You might prefer putting your _known_ SSH host key in your own Action files to add it to the `known_hosts` file. The SSH host key is not secret and can safely be committed into the repo. 
+
 ## Creating SSH keys
 
-In order to create a new SSH key, run `ssh-keygen -t rsa -b 4096 -m pem -f path/to/keyfile`. This will prompt you for a key passphrase and save the key in `path/to/keyfile`.
+In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html). 
+If you need to work with some older server software and need RSA keys, tr `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
 
-Having a passphrase is a good thing, since it will keep the key encrypted on your disk. When configuring the secret `SSH_PRIVATE_KEY` value in your repository, however, you will need the private key *unencrypted*. 
-
-To show the private key unencrypted, run `openssl rsa -in path/to/key -outform pem`.
+Both commands will prompt you for a key passphrase and save the key in `path/to/keyfile`.
+In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't 
+specify a passphrase: The key must be usable without reading the passphrase from input. Since the key itself is stored using GitHub's "Secret" feature, it should be fairly safe anyway.
 
 ## Authorizing a key
 
@@ -73,9 +120,10 @@ As a note to my future self, in order to work on this repo:
 * Clone it
 * Run `npm install` to fetch dependencies
 * _hack hack hack_
-* `node index.js` (inputs are passed through `INPUT_` env vars, but how to set `ssh-private-key`?)
-* Run `./node_modules/.bin/ncc build index.js` to update `dist/index.js`, which is the file actually run
+* `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased. Use `env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js` for this action.
+* Run `npm run build` to update `dist/*`, which holds the files actually run
 * Read https://help.github.com/en/articles/creating-a-javascript-action if unsure.
+* Maybe update the README example when publishing a new version.
 
 ## Credits, Copyright and License
 
@@ -86,4 +134,4 @@ developer looking for new challenges, we'd like to hear from you!
 - <https://www.webfactory.de>
 - <https://twitter.com/webfactory>
 
-Copyright 2019 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
+Copyright 2019 – 2020 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

action.yml

@@ -6,10 +6,10 @@ inputs:
         required: true
     ssh-auth-sock:
         description: 'Where to place the SSH Agent auth socket'
-        default: /tmp/ssh-auth.sock
 runs:
     using: 'node12'
     main: 'dist/index.js'
+    post: 'dist/cleanup.js'
 branding:
     icon: loader
     color: 'yellow'

cleanup.js

@@ -0,0 +1,10 @@
+const core = require('@actions/core')
+const { execSync } = require('child_process')
+
+try {
+    // Kill the started SSH agent
+    console.log('Stopping SSH agent')
+    execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
+} catch (error) {
+    core.setFailed(error.message)
+}

dist/cleanup.js

@@ -0,0 +1,332 @@
+module.exports =
+/******/ (function(modules, runtime) { // webpackBootstrap
+/******/ 	"use strict";
+/******/ 	// The module cache
+/******/ 	var installedModules = {};
+/******/
+/******/ 	// The require function
+/******/ 	function __webpack_require__(moduleId) {
+/******/
+/******/ 		// Check if module is in cache
+/******/ 		if(installedModules[moduleId]) {
+/******/ 			return installedModules[moduleId].exports;
+/******/ 		}
+/******/ 		// Create a new module (and put it into the cache)
+/******/ 		var module = installedModules[moduleId] = {
+/******/ 			i: moduleId,
+/******/ 			l: false,
+/******/ 			exports: {}
+/******/ 		};
+/******/
+/******/ 		// Execute the module function
+/******/ 		modules[moduleId].call(module.exports, module, module.exports, __webpack_require__);
+/******/
+/******/ 		// Flag the module as loaded
+/******/ 		module.l = true;
+/******/
+/******/ 		// Return the exports of the module
+/******/ 		return module.exports;
+/******/ 	}
+/******/
+/******/
+/******/ 	__webpack_require__.ab = __dirname + "/";
+/******/
+/******/ 	// the startup function
+/******/ 	function startup() {
+/******/ 		// Load entry module and return exports
+/******/ 		return __webpack_require__(175);
+/******/ 	};
+/******/
+/******/ 	// run startup
+/******/ 	return startup();
+/******/ })
+/************************************************************************/
+/******/ ({
+
+/***/ 87:
+/***/ (function(module) {
+
+module.exports = require("os");
+
+/***/ }),
+
+/***/ 129:
+/***/ (function(module) {
+
+module.exports = require("child_process");
+
+/***/ }),
+
+/***/ 175:
+/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
+
+const core = __webpack_require__(470)
+const { execSync } = __webpack_require__(129)
+
+try {
+    // Kill the started SSH agent
+    console.log('Stopping SSH agent')
+    execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
+} catch (error) {
+    core.setFailed(error.message)
+}
+
+
+/***/ }),
+
+/***/ 431:
+/***/ (function(__unusedmodule, exports, __webpack_require__) {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", { value: true });
+const os = __webpack_require__(87);
+/**
+ * Commands
+ *
+ * Command Format:
+ *   ##[name key=value;key=value]message
+ *
+ * Examples:
+ *   ##[warning]This is the user warning message
+ *   ##[set-secret name=mypassword]definitelyNotAPassword!
+ */
+function issueCommand(command, properties, message) {
+    const cmd = new Command(command, properties, message);
+    process.stdout.write(cmd.toString() + os.EOL);
+}
+exports.issueCommand = issueCommand;
+function issue(name, message = '') {
+    issueCommand(name, {}, message);
+}
+exports.issue = issue;
+const CMD_PREFIX = '##[';
+class Command {
+    constructor(command, properties, message) {
+        if (!command) {
+            command = 'missing.command';
+        }
+        this.command = command;
+        this.properties = properties;
+        this.message = message;
+    }
+    toString() {
+        let cmdStr = CMD_PREFIX + this.command;
+        if (this.properties && Object.keys(this.properties).length > 0) {
+            cmdStr += ' ';
+            for (const key in this.properties) {
+                if (this.properties.hasOwnProperty(key)) {
+                    const val = this.properties[key];
+                    if (val) {
+                        // safely append the val - avoid blowing up when attempting to
+                        // call .replace() if message is not a string for some reason
+                        cmdStr += `${key}=${escape(`${val || ''}`)};`;
+                    }
+                }
+            }
+        }
+        cmdStr += ']';
+        // safely append the message - avoid blowing up when attempting to
+        // call .replace() if message is not a string for some reason
+        const message = `${this.message || ''}`;
+        cmdStr += escapeData(message);
+        return cmdStr;
+    }
+}
+function escapeData(s) {
+    return s.replace(/\r/g, '%0D').replace(/\n/g, '%0A');
+}
+function escape(s) {
+    return s
+        .replace(/\r/g, '%0D')
+        .replace(/\n/g, '%0A')
+        .replace(/]/g, '%5D')
+        .replace(/;/g, '%3B');
+}
+//# sourceMappingURL=command.js.map
+
+/***/ }),
+
+/***/ 470:
+/***/ (function(__unusedmodule, exports, __webpack_require__) {
+
+"use strict";
+
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const command_1 = __webpack_require__(431);
+const path = __webpack_require__(622);
+/**
+ * The code to exit an action
+ */
+var ExitCode;
+(function (ExitCode) {
+    /**
+     * A code indicating that the action was successful
+     */
+    ExitCode[ExitCode["Success"] = 0] = "Success";
+    /**
+     * A code indicating that the action was a failure
+     */
+    ExitCode[ExitCode["Failure"] = 1] = "Failure";
+})(ExitCode = exports.ExitCode || (exports.ExitCode = {}));
+//-----------------------------------------------------------------------
+// Variables
+//-----------------------------------------------------------------------
+/**
+ * sets env variable for this action and future actions in the job
+ * @param name the name of the variable to set
+ * @param val the value of the variable
+ */
+function exportVariable(name, val) {
+    process.env[name] = val;
+    command_1.issueCommand('set-env', { name }, val);
+}
+exports.exportVariable = exportVariable;
+/**
+ * exports the variable and registers a secret which will get masked from logs
+ * @param name the name of the variable to set
+ * @param val value of the secret
+ */
+function exportSecret(name, val) {
+    exportVariable(name, val);
+    // the runner will error with not implemented
+    // leaving the function but raising the error earlier
+    command_1.issueCommand('set-secret', {}, val);
+    throw new Error('Not implemented.');
+}
+exports.exportSecret = exportSecret;
+/**
+ * Prepends inputPath to the PATH (for this action and future actions)
+ * @param inputPath
+ */
+function addPath(inputPath) {
+    command_1.issueCommand('add-path', {}, inputPath);
+    process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`;
+}
+exports.addPath = addPath;
+/**
+ * Gets the value of an input.  The value is also trimmed.
+ *
+ * @param     name     name of the input to get
+ * @param     options  optional. See InputOptions.
+ * @returns   string
+ */
+function getInput(name, options) {
+    const val = process.env[`INPUT_${name.replace(' ', '_').toUpperCase()}`] || '';
+    if (options && options.required && !val) {
+        throw new Error(`Input required and not supplied: ${name}`);
+    }
+    return val.trim();
+}
+exports.getInput = getInput;
+/**
+ * Sets the value of an output.
+ *
+ * @param     name     name of the output to set
+ * @param     value    value to store
+ */
+function setOutput(name, value) {
+    command_1.issueCommand('set-output', { name }, value);
+}
+exports.setOutput = setOutput;
+//-----------------------------------------------------------------------
+// Results
+//-----------------------------------------------------------------------
+/**
+ * Sets the action status to failed.
+ * When the action exits it will be with an exit code of 1
+ * @param message add error issue message
+ */
+function setFailed(message) {
+    process.exitCode = ExitCode.Failure;
+    error(message);
+}
+exports.setFailed = setFailed;
+//-----------------------------------------------------------------------
+// Logging Commands
+//-----------------------------------------------------------------------
+/**
+ * Writes debug message to user log
+ * @param message debug message
+ */
+function debug(message) {
+    command_1.issueCommand('debug', {}, message);
+}
+exports.debug = debug;
+/**
+ * Adds an error issue
+ * @param message error issue message
+ */
+function error(message) {
+    command_1.issue('error', message);
+}
+exports.error = error;
+/**
+ * Adds an warning issue
+ * @param message warning issue message
+ */
+function warning(message) {
+    command_1.issue('warning', message);
+}
+exports.warning = warning;
+/**
+ * Begin an output group.
+ *
+ * Output until the next `groupEnd` will be foldable in this group
+ *
+ * @param name The name of the output group
+ */
+function startGroup(name) {
+    command_1.issue('group', name);
+}
+exports.startGroup = startGroup;
+/**
+ * End an output group.
+ */
+function endGroup() {
+    command_1.issue('endgroup');
+}
+exports.endGroup = endGroup;
+/**
+ * Wrap an asynchronous function call in a group.
+ *
+ * Returns the same type as the function itself.
+ *
+ * @param name The name of the group
+ * @param fn The function to wrap in the group
+ */
+function group(name, fn) {
+    return __awaiter(this, void 0, void 0, function* () {
+        startGroup(name);
+        let result;
+        try {
+            result = yield fn();
+        }
+        finally {
+            endGroup();
+        }
+        return result;
+    });
+}
+exports.group = group;
+//# sourceMappingURL=core.js.map
+
+/***/ }),
+
+/***/ 622:
+/***/ (function(module) {
+
+module.exports = require("path");
+
+/***/ })
+
+/******/ });

dist/index.js

@@ -58,21 +58,49 @@ const child_process = __webpack_require__(129);
 const fs = __webpack_require__(747);
 
 try {
+
     const home = process.env['HOME'];
     const homeSsh = home + '/.ssh';
 
+    const privateKey = core.getInput('ssh-private-key');
+
+    if (!privateKey) {
+        core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
+
+        return;
+    }
+
     console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
-    fs.mkdirSync(homeSsh, { recursive: true});
+    fs.mkdirSync(homeSsh, { recursive: true });
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
 
     console.log("Starting ssh-agent");
     const authSock = core.getInput('ssh-auth-sock');
-    child_process.execFileSync('ssh-agent', ['-a', authSock]);
-    core.exportVariable('SSH_AUTH_SOCK', authSock);
+    let sshAgentOutput = ''
+    if (authSock && authSock.length > 0) {
+        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
+    } else {
+        sshAgentOutput = child_process.execFileSync('ssh-agent')
+    }
+
+    // Extract auth socket path and agent pid and set them as job variables
+    const lines = sshAgentOutput.toString().split("\n")
+    for (const lineNumber in lines) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
+        if (matches && matches.length > 0) {
+            core.exportVariable(matches[1], matches[2])
+        }
+    }
 
     console.log("Adding private key to agent");
-    child_process.execSync('ssh-add -', { input: core.getInput('ssh-private-key') });
+    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
+        child_process.execSync('ssh-add -', { input: key.trim() + "\n" });
+    });
+
+    console.log("Keys added:");
+    child_process.execSync('ssh-add -l', { stdio: 'inherit' });
+
 } catch (error) {
     core.setFailed(error.message);
 }

index.js

@@ -3,21 +3,49 @@ const child_process = require('child_process');
 const fs = require('fs');
 
 try {
+
     const home = process.env['HOME'];
     const homeSsh = home + '/.ssh';
 
+    const privateKey = core.getInput('ssh-private-key');
+
+    if (!privateKey) {
+        core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
+
+        return;
+    }
+
     console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
-    fs.mkdirSync(homeSsh, { recursive: true});
+    fs.mkdirSync(homeSsh, { recursive: true });
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
     fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
 
     console.log("Starting ssh-agent");
     const authSock = core.getInput('ssh-auth-sock');
-    child_process.execFileSync('ssh-agent', ['-a', authSock]);
-    core.exportVariable('SSH_AUTH_SOCK', authSock);
+    let sshAgentOutput = ''
+    if (authSock && authSock.length > 0) {
+        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
+    } else {
+        sshAgentOutput = child_process.execFileSync('ssh-agent')
+    }
+
+    // Extract auth socket path and agent pid and set them as job variables
+    const lines = sshAgentOutput.toString().split("\n")
+    for (const lineNumber in lines) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
+        if (matches && matches.length > 0) {
+            core.exportVariable(matches[1], matches[2])
+        }
+    }
 
     console.log("Adding private key to agent");
-    child_process.execSync('ssh-add -', { input: core.getInput('ssh-private-key') });
+    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
+        child_process.execSync('ssh-add -', { input: key.trim() + "\n" });
+    });
+
+    console.log("Keys added:");
+    child_process.execSync('ssh-add -l', { stdio: 'inherit' });
+
 } catch (error) {
     core.setFailed(error.message);
 }

package-lock.json

@@ -5,9 +5,9 @@
     "requires": true,
     "dependencies": {
         "@actions/core": {
-            "version": "1.1.0",
-            "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.1.0.tgz",
-            "integrity": "sha512-KKpo3xzo0Zsikni9tbOsEQkxZBGDsYSJZNkTvmo0gPSXrc98TBOcdTvKwwjitjkjHkreTggWdB1ACiAFVgsuzA==",
+            "version": "1.2.4",
+            "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.4.tgz",
+            "integrity": "sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg==",
             "dev": true
         },
         "@zeit/ncc": {
@@ -15,12 +15,6 @@
             "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.20.5.tgz",
             "integrity": "sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==",
             "dev": true
-        },
-        "child_process": {
-            "version": "1.0.2",
-            "resolved": "https://registry.npmjs.org/child_process/-/child_process-1.0.2.tgz",
-            "integrity": "sha1-sffn/HPSXn/R1FWtyU4UODAYK1o=",
-            "dev": true
         }
     }
 }

package.json

@@ -7,8 +7,10 @@
     "author": "webfactory GmbH <info@webfactory.de>",
     "license": "MIT",
     "devDependencies": {
-        "@actions/core": "^1.1.0",
-        "@zeit/ncc": "^0.20.5",
-        "child_process": "^1.0.2"
+        "@actions/core": "^1.2.4",
+        "@zeit/ncc": "^0.20.5"
+    },
+    "scripts": {
+        "build": "node scripts/build.js"
     }
 }

scripts/build.js

@@ -0,0 +1,35 @@
+const { execSync } = require('child_process')
+const path = require('path')
+const fs = require('fs')
+
+const buildDir = path.join(process.cwd(), 'build')
+const distDir = path.join(process.cwd(), 'dist')
+
+const buildIndexJs = path.join(buildDir, 'index.js')
+const distIndexJs = path.join(distDir, 'index.js')
+const distCleanupJs = path.join(distDir, 'cleanup.js')
+
+if (!fs.existsSync(buildDir)) {
+    fs.mkdirSync(buildDir)
+}
+
+// Build the main index.js file
+console.log('Building index.js...')
+execSync(`./node_modules/.bin/ncc build index.js -q -o ${buildDir}`)
+if (fs.existsSync(distIndexJs)) {
+    fs.unlinkSync(distIndexJs)
+}
+fs.renameSync(buildIndexJs, distIndexJs)
+
+// Build the cleanup.js file
+console.log('Building cleanup.js...')
+execSync(`./node_modules/.bin/ncc build cleanup.js -q -o ${buildDir}`)
+if (fs.existsSync(distCleanupJs)) {
+    fs.unlinkSync(distCleanupJs)
+}
+fs.renameSync(buildIndexJs, distCleanupJs)
+
+console.log('Cleaning up...')
+fs.rmdirSync(buildDir)
+
+console.log('Done')