ops/ssh-agent
1
0
Fork 0
mirror of https://github.com/webfactory/ssh-agent.git synced 2026-03-20 10:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ops:v0.5.2
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0
...
compare: ops:v0.5.4
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0

13 Commits
v0.5.2 ... v0.5.4

Author SHA1 Message Date
Matthias Pigulla
fc49353b67 Bump example version numbers in the README file 2021-11-20 11:43:25 +00:00
Matthias Pigulla
bc6614de94 Update recent changes in the CHANGELOG file 2021-11-20 11:43:02 +00:00
J.R. Mash
dc622c59e4 Update to Reflect Supported GitHub Host Keys (#102) 
Closes #101 as well.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
 2021-11-20 12:21:38 +01:00
John Hamelink
97348a2ec6 Document on how to integrate with docker/build-push-action (#90) 
This change adds some extra clarification to the documentation to show how to setup the `docker/build-push-action` step with this action. This is very helpful when using buildkit's `RUN --mount=type=ssh`. We found this to be a little confusing and the GH issues we found on the matter didn't help!

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
 2021-11-18 12:27:08 +01:00
Ror
bbd5513ed5 Better explain in the README how to set up keys in repositories (#96) 2021-11-18 11:58:33 +01:00
Matthias Pigulla
a652a400f2 Merge pull request #95 from mjhipp/mh_public_key_comment 2021-09-01 21:28:09 +02:00
Michael Hipp
1711bb1971 Update GitHub deploy key log comment to specify public key 2021-09-01 11:40:04 -07:00
Matthias Pigulla
5f066a372e Prepare a 0.5.3 release 2021-06-11 15:18:45 +02:00
Maciej Pasternacki
a45226bfaf Use execFileSync to clean up (#80) 
execSync just started a second ssh-agent. `['-k']` argument was
treated as options, it didn't have `stdio` set, so stdio was piped and
returned (and ignored).
 2021-06-11 15:17:22 +02:00
Matthias Pigulla
81d965f2bd Tix a fypo 2021-06-03 23:33:40 +02:00
Matthias Pigulla
515d164e78 Run cleanup (post) step also on failure (#79) 
According to https://github.com/actions/runner/issues/987, this should run the post step (cleanup.js) also when a workflow fails.

Probably most important on self-hosted runners that are not ephemeral, to terminate SSH agents from failed jobs as well.
 2021-06-02 22:15:05 +02:00
Matthias Pigulla
8569bedfe0 Mention "-scmProvider system" for XCode builds/Swift Package Manager 
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
 2021-05-27 20:11:56 +00:00
Matthias Pigulla
98f76b1158 Give an example of how to add a key comment 
Co-authored-by: rr-james-hickman <james.hickman@rakuten.com>
 2021-05-27 20:05:28 +00:00
7 changed files with 98 additions and 18 deletions
Expand all files Collapse all files

59
CHANGELOG.md
View File

@@ -7,6 +7,65 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
## v0.5.4 [2021-11-21]
### Fixed
* Update changed GitHub Host Keys (#102, #101)
### Changed
* Various documentation (README) improvements and additions
* Change logging to more precisely state that _public_ keys are being printed
## v0.5.3 [2021-06-11]
### Fixed
* Fixed cleanup phase to really terminate the ssh-agent (#80)
* Fix termination of ssh-agent also on workflow faiulre (#79)
### Changed
* Various documentation (README) improvements and additions
## v0.5.2 [2021-04-07]
### Fixed
* Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
### Changed
* Log when a key is _not_ used as a deploy key (#69)
## v0.5.1 [2021-03-10]
### Fixed
* Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
suite, terminate ssh-agent upon actio termination on Windows as well (#63)
* Handle ENOENT exceptions with a graceful message
### Changed
* Various documentation (README) improvements and additions
## v0.5.0 [2021-02-19]
### Added
* Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
* Support for container-based workflows and Windows (#17)
### Fixed
* Fix scripts/build.js to work on Windows (#38)
### Changed
* Various documentation (README) improvements and additions
## v0.4.1 [2020-10-07] ## v0.4.1 [2020-10-07]
### Fixed ### Fixed

36
README.md
View File

@@ -20,11 +20,14 @@ GitHub Actions only have access to the repository they run for. So, in order to
## Usage ## Usage
1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step. 1. Generate a new SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
2. Make sure you don't have a passphrase set on the private key. 2. Make sure you don't have a passphrase set on the private key.
3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br> 3. Add the public SSH key to the private repository you are pulling from during the Github Action as a 'Deploy Key'.
This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 4. Add the private SSH key to the repository triggering the Github Action:
4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line. * In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`.
* Put the contents of the *private* SSH key file into the contents field. <br>
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
```yaml ```yaml
# .github/workflows/my-workflow.yml # .github/workflows/my-workflow.yml
@@ -33,9 +36,9 @@ jobs:
... ...
steps: steps:
- actions/checkout@v2 - actions/checkout@v2
# Make sure the @v0.5.2 matches the current version of the # Make sure the @v0.5.4 matches the current version of the
# action # action
- uses: webfactory/ssh-agent@v0.5.2 - uses: webfactory/ssh-agent@v0.5.4
with: with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- ... other steps - ... other steps
@@ -50,7 +53,7 @@ You can set up different keys as different secrets and pass them all to the acti
```yaml ```yaml
# ... contens as before # ... contens as before
- uses: webfactory/ssh-agent@v0.5.2 - uses: webfactory/ssh-agent@v0.5.4
with: with:
ssh-private-key: | ssh-private-key: |
${{ secrets.FIRST_KEY }} ${{ secrets.FIRST_KEY }}
@@ -68,7 +71,7 @@ When using **Github deploy keys**, GitHub servers will accept the _first_ known
To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work. To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. 1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. (Hint: Try `ssh-keygen ... -C "git@github.com:owner/repo.git"`.)
2. After keys have been added to the agent, this action will scan the key comments. 2. After keys have been added to the agent, this action will scan the key comments.
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`. 3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com. 4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
@@ -98,6 +101,19 @@ If you know that your favorite tool or platform of choice requires extra tweaks
If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed. If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
### Using the `docker/build-push-action` Action
If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
```
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
### Cargo's (Rust) Private Dependencies on Windows ### Cargo's (Rust) Private Dependencies on Windows
If you are using private repositories in your dependencies like this: If you are using private repositories in your dependencies like this:
@@ -126,6 +142,10 @@ env:
CARGO_NET_GIT_FETCH_WITH_CLI: true CARGO_NET_GIT_FETCH_WITH_CLI: true
``` ```
### Using Deploy Keys with Swift Package Manager
`xcodebuild` by default uses Xcode's built-in Git tooling. If you want to use GitHub Deploy Keys as supported by this action, however, that version of Git will lack the necessary URL remapping. In this case, pass `-scmProvider system` to the `xcodebuild` command, as mentioned in [Apple's documentation](https://developer.apple.com/documentation/swift_packages/building_swift_packages_or_apps_that_use_them_in_continuous_integration_workflows#3680255).
## What this Action *cannot* do for you ## What this Action *cannot* do for you
The following items are not issues, but beyond what this Action is supposed to do. The following items are not issues, but beyond what this Action is supposed to do.

1
action.yml
View File

@@ -10,6 +10,7 @@ runs:
using: 'node12' using: 'node12'
main: 'dist/index.js' main: 'dist/index.js'
post: 'dist/cleanup.js' post: 'dist/cleanup.js'
post-if: 'always()'
branding: branding:
icon: loader icon: loader
color: 'yellow' color: 'yellow'

5
cleanup.js
View File

@@ -1,12 +1,11 @@
const core = require('@actions/core'); const core = require('@actions/core');
const { execSync } = require('child_process'); const { execFileSync } = require('child_process');
const { sshAgent } = require('./paths.js'); const { sshAgent } = require('./paths.js');
try { try {
// Kill the started SSH agent // Kill the started SSH agent
console.log('Stopping SSH agent'); console.log('Stopping SSH agent');
execSync(sshAgent, ['-k'], { stdio: 'inherit' }); execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
} catch (error) { } catch (error) {
console.log(error.message); console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway'); console.log('Error stopping the SSH agent, proceeding anyway');

5
dist/cleanup.js vendored
View File

@@ -123,14 +123,13 @@ module.exports = require("child_process");
/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) { /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
const core = __webpack_require__(470); const core = __webpack_require__(470);
const { execSync } = __webpack_require__(129); const { execFileSync } = __webpack_require__(129);
const { sshAgent } = __webpack_require__(972); const { sshAgent } = __webpack_require__(972);
try { try {
// Kill the started SSH agent // Kill the started SSH agent
console.log('Stopping SSH agent'); console.log('Stopping SSH agent');
execSync(sshAgent, ['-k'], { stdio: 'inherit' }); execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
} catch (error) { } catch (error) {
console.log(error.message); console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway'); console.log('Error stopping the SSH agent, proceeding anyway');

5
dist/index.js vendored
View File

@@ -135,8 +135,9 @@ try {
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true }); fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n'); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent"); console.log("Starting ssh-agent");
@@ -170,7 +171,7 @@ try {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) { if (!parts) {
console.log(`Comment for key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
return; return;
} }

5
index.js
View File

@@ -18,8 +18,9 @@ try {
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true }); fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n'); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
console.log("Starting ssh-agent"); console.log("Starting ssh-agent");
@@ -53,7 +54,7 @@ try {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) { if (!parts) {
console.log(`Comment for key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
return; return;
} }