ops/ssh-agent
1
0
Fork 0
mirror of https://github.com/webfactory/ssh-agent.git synced 2026-03-15 15:59:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ops:v0.5.1
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0
..
compare: ops:v0.5.4
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0

16 Commits
v0.5.1 ... v0.5.4

Author SHA1 Message Date
Matthias Pigulla
fc49353b67 Bump example version numbers in the README file 2021-11-20 11:43:25 +00:00
Matthias Pigulla
bc6614de94 Update recent changes in the CHANGELOG file 2021-11-20 11:43:02 +00:00
J.R. Mash
dc622c59e4 Update to Reflect Supported GitHub Host Keys (#102) 
Closes #101 as well.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
 2021-11-20 12:21:38 +01:00
John Hamelink
97348a2ec6 Document on how to integrate with docker/build-push-action (#90) 
This change adds some extra clarification to the documentation to show how to setup the `docker/build-push-action` step with this action. This is very helpful when using buildkit's `RUN --mount=type=ssh`. We found this to be a little confusing and the GH issues we found on the matter didn't help!

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
 2021-11-18 12:27:08 +01:00
Ror
bbd5513ed5 Better explain in the README how to set up keys in repositories (#96) 2021-11-18 11:58:33 +01:00
Matthias Pigulla
a652a400f2 Merge pull request #95 from mjhipp/mh_public_key_comment 2021-09-01 21:28:09 +02:00
Michael Hipp
1711bb1971 Update GitHub deploy key log comment to specify public key 2021-09-01 11:40:04 -07:00
Matthias Pigulla
5f066a372e Prepare a 0.5.3 release 2021-06-11 15:18:45 +02:00
Maciej Pasternacki
a45226bfaf Use execFileSync to clean up (#80) 
execSync just started a second ssh-agent. `['-k']` argument was
treated as options, it didn't have `stdio` set, so stdio was piped and
returned (and ignored).
 2021-06-11 15:17:22 +02:00
Matthias Pigulla
81d965f2bd Tix a fypo 2021-06-03 23:33:40 +02:00
Matthias Pigulla
515d164e78 Run cleanup (post) step also on failure (#79) 
According to https://github.com/actions/runner/issues/987, this should run the post step (cleanup.js) also when a workflow fails.

Probably most important on self-hosted runners that are not ephemeral, to terminate SSH agents from failed jobs as well.
 2021-06-02 22:15:05 +02:00
Matthias Pigulla
8569bedfe0 Mention "-scmProvider system" for XCode builds/Swift Package Manager 
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
 2021-05-27 20:11:56 +00:00
Matthias Pigulla
98f76b1158 Give an example of how to add a key comment 
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
 2021-05-27 20:05:28 +00:00
Matthias Pigulla
cb8b21017a Update version numbers in README for the next bugfix release 2021-04-07 12:30:27 +02:00
Matthias Pigulla
aed5400f20 Log when a key is _not_ used as a deploy key 
Resolves #69.

Co-authored-by: Sean Killeen <SeanKilleen@gmail.com>
 2021-03-17 18:50:49 +00:00
Matthias Pigulla
4681241867 Use case-insensitive regex matching when scanning key comments 
Resolves #68, closes #70, closes #71.

Co-authored-by: Sean Killeen <SeanKilleen@gmail.com>
 2021-03-17 18:27:52 +00:00
7 changed files with 102 additions and 18 deletions
Expand all files Collapse all files

59
CHANGELOG.md
View File

@@ -7,6 +7,65 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## v0.5.4 [2021-11-21]
### Fixed
* Update changed GitHub Host Keys (#102, #101)
### Changed
* Various documentation (README) improvements and additions
* Change logging to more precisely state that _public_ keys are being printed
## v0.5.3 [2021-06-11]
### Fixed
* Fixed cleanup phase to really terminate the ssh-agent (#80)
* Fix termination of ssh-agent also on workflow faiulre (#79)
### Changed
* Various documentation (README) improvements and additions
## v0.5.2 [2021-04-07]
### Fixed
* Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
### Changed
* Log when a key is _not_ used as a deploy key (#69)
## v0.5.1 [2021-03-10]
### Fixed
* Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
suite, terminate ssh-agent upon actio termination on Windows as well (#63)
* Handle ENOENT exceptions with a graceful message
### Changed
* Various documentation (README) improvements and additions
## v0.5.0 [2021-02-19]
### Added
* Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
* Support for container-based workflows and Windows (#17)
### Fixed
* Fix scripts/build.js to work on Windows (#38)
### Changed
* Various documentation (README) improvements and additions
## v0.4.1 [2020-10-07]
### Fixed

36
README.md
View File

@@ -20,11 +20,14 @@ GitHub Actions only have access to the repository they run for. So, in order to
## Usage
1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
1. Generate a new SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
2. Make sure you don't have a passphrase set on the private key.
3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
3. Add the public SSH key to the private repository you are pulling from during the Github Action as a 'Deploy Key'.
4. Add the private SSH key to the repository triggering the Github Action:
* In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`.
* Put the contents of the *private* SSH key file into the contents field. <br>
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
```yaml
# .github/workflows/my-workflow.yml
@@ -33,9 +36,9 @@ jobs:
...
steps:
- actions/checkout@v2
# Make sure the @v0.5.1 matches the current version of the
# Make sure the @v0.5.4 matches the current version of the
# action
- uses: webfactory/ssh-agent@v0.5.1
- uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- ... other steps
@@ -50,7 +53,7 @@ You can set up different keys as different secrets and pass them all to the acti
```yaml
# ... contens as before
- uses: webfactory/ssh-agent@v0.5.1
- uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: |
${{ secrets.FIRST_KEY }}
@@ -68,7 +71,7 @@ When using **Github deploy keys**, GitHub servers will accept the _first_ known
To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. (Hint: Try `ssh-keygen ... -C "git@github.com:owner/repo.git"`.)
2. After keys have been added to the agent, this action will scan the key comments.
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
@@ -98,6 +101,19 @@ If you know that your favorite tool or platform of choice requires extra tweaks
If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
### Using the `docker/build-push-action` Action
If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
```
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
### Cargo's (Rust) Private Dependencies on Windows
If you are using private repositories in your dependencies like this:
@@ -126,6 +142,10 @@ env:
CARGO_NET_GIT_FETCH_WITH_CLI: true
```
### Using Deploy Keys with Swift Package Manager
`xcodebuild` by default uses Xcode's built-in Git tooling. If you want to use GitHub Deploy Keys as supported by this action, however, that version of Git will lack the necessary URL remapping. In this case, pass `-scmProvider system` to the `xcodebuild` command, as mentioned in [Apple's documentation](https://developer.apple.com/documentation/swift_packages/building_swift_packages_or_apps_that_use_them_in_continuous_integration_workflows#3680255).
## What this Action *cannot* do for you
The following items are not issues, but beyond what this Action is supposed to do.

1
action.yml
View File

@@ -10,6 +10,7 @@ runs:
using: 'node12'
main: 'dist/index.js'
post: 'dist/cleanup.js'
post-if: 'always()'
branding:
icon: loader
color: 'yellow'

5
cleanup.js
View File

@@ -1,12 +1,11 @@
const core = require('@actions/core');
const { execSync } = require('child_process');
const { execFileSync } = require('child_process');
const { sshAgent } = require('./paths.js');
try {
// Kill the started SSH agent
console.log('Stopping SSH agent');
execSync(sshAgent, ['-k'], { stdio: 'inherit' });
execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
} catch (error) {
console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway');

5
dist/cleanup.js vendored
View File

@@ -123,14 +123,13 @@ module.exports = require("child_process");
/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
const core = __webpack_require__(470);
const { execSync } = __webpack_require__(129);
const { execFileSync } = __webpack_require__(129);
const { sshAgent } = __webpack_require__(972);
try {
// Kill the started SSH agent
console.log('Stopping SSH agent');
execSync(sshAgent, ['-k'], { stdio: 'inherit' });
execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
} catch (error) {
console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway');

7
dist/index.js vendored
View File

@@ -135,8 +135,9 @@ try {
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent");
@@ -167,9 +168,11 @@ try {
console.log('Configuring deployment key(s)');
child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/);
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
return;
}

7
index.js
View File

@@ -18,8 +18,9 @@ try {
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent");
@@ -50,9 +51,11 @@ try {
console.log('Configuring deployment key(s)');
child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/);
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
return;
}