ops/ssh-agent
1
0
Fork 0
mirror of https://github.com/webfactory/ssh-agent.git synced 2026-03-15 07:49:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ops:v0.6.0
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0
..
compare: ops:v0.7.0
Branches Tags
ops:master ops:mkdir-p ops:camilo/log-public-key ops:demo-go-get ops:debug-windows-ssh ops:deploy-key-wrapper
ops:v0.10.0 ops:v0.9.1 ops:v0.9.0 ops:v0.8.0 ops:v0.7.0 ops:v0.6.0 ops:v0.5.4 ops:v0.5.3 ops:v0.5.2 ops:v0.5.1 ops:v0.5.0 ops:v0.4.1 ops:v0.4.0 ops:v0.3.0 ops:v0.2.0 ops:v0.1.1 ops:v0.1.0

7 Commits
v0.6.0 ... v0.7.0

Author SHA1 Message Date
Matthias Pigulla
836c84ec59 Prepare a v0.7.0 release 2022-10-19 13:52:25 +00:00
Matthias Pigulla
8a9e20a586 Fix path to git binary on Windows runners (#140) 
This PR fixes an apparently wrong path to the `git` binary that was added in #136. 

According to https://github.com/actions/checkout/discussions/928#discussioncomment-3861581, the path should not contain the `usr/` part, although for `ssh-add` and `ssh-agent`, it has to.
 2022-10-19 14:55:54 +02:00
Matthias Pigulla
0a7dc1c09f Avoid nonsensical log message (#139) 
This change avoids the

`Comment for (public) key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`

log message that was caused by inappropriate parsing of `ssh-add -L` output and confused a lot of users already.
 2022-10-19 14:54:52 +02:00
j-riebe
b19b28d091 Explain how to use docker/build-push-action with deployment-key configs (#133) 
This PR adds a recipe for using `docker/build-push-action` with multiple Deploy Keys (#78) to the docs.
 2022-10-19 13:32:32 +02:00
Matthias Pigulla
2c78a1c5d1 Update the CHANGELOG 2022-10-19 11:28:57 +00:00
Oktawian Chojnacki
df2f741a87 Provide gitPath for Windows to avoid failures on windows-2022 (GitHub-hosted runner) (#137) 
### Problem:
Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found.

### Issue: 

Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 

### Solution:
This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems.

### Caveats:
No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does).
 2022-10-19 13:27:50 +02:00
Camilo Celis Guzman
fbef2c7bd0 Add an action input/flag to disable logging of public key information (#122) 
This commit adds the new `log-public-key` action input.

Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100.

Co-authored-by: Matthias Pigulla <mp@webfactory.de>
 2022-10-19 10:42:05 +00:00
9 changed files with 114 additions and 62 deletions
Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## v0.7.0 [2022-10-19]
### Added
* Add the `log-public-key` input that can be used to turn off logging key identities (#122)
### Fixed
* Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137)
* Fix a nonsensical log message (#139)
## v0.6.0 [2022-10-19]
### Changed
@@ -29,7 +40,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
* Fixed cleanup phase to really terminate the ssh-agent (#80)
* Fix termination of ssh-agent also on workflow faiulre (#79)
* Fix termination of ssh-agent also on workflow failure (#79)
### Changed

41
README.md
View File

@@ -76,7 +76,16 @@ To support picking the right key in this use case, this action scans _key commen
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
## Action Inputs
The following inputs can be used to control the action's behavior:
* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
## Exported variables
The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
@@ -105,7 +114,7 @@ If you are using this action on container-based workflows, make sure the contain
If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
```
```yml
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
@@ -114,6 +123,36 @@ If you are using the `docker/build-push-action`, and would like to pass the SSH
default=${{ env.SSH_AUTH_SOCK }}
```
### Using the `docker/build-push-action` Action together with multiple Deploy Keys
If you use the `docker/build-push-action` and want to use multiple GitHub deploy keys, you need to copy the git and ssh configuration to the container during the build. Otherwise, the Docker build process would still not know how to handle multiple deploy keys. Even if the ssh agent was set up correctly on the runner.
This requires an additional step in the actions workflow and two additional lines in the Dockerfile.
Workflow:
```yml
- name: Prepare git and ssh config for build context
run: |
mkdir root-config
cp -r ~/.gitconfig ~/.ssh root-config/
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
Dockerfile:
```Dockerfile
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
```
Have in mind that the Dockerfile now contains customized git and ssh configurations. If you don't want that in your final image, use multi-stage builds.
### Cargo's (Rust) Private Dependencies on Windows
If you are using private repositories in your dependencies like this:

4
action.yml
View File

@@ -6,6 +6,10 @@ inputs:
required: true
ssh-auth-sock:
description: 'Where to place the SSH Agent auth socket'
log-public-key:
description: 'Whether or not to log public key fingerprints'
required: false
default: true
runs:
using: 'node16'
main: 'dist/index.js'

4
cleanup.js
View File

@@ -1,11 +1,11 @@
const core = require('@actions/core');
const { execFileSync } = require('child_process');
const { sshAgent } = require('./paths.js');
const { sshAgentCmd } = require('./paths.js');
try {
// Kill the started SSH agent
console.log('Stopping SSH agent');
execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
} catch (error) {
console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway');

24
dist/cleanup.js vendored
View File

@@ -599,12 +599,12 @@ exports.debug = debug; // for test
const core = __webpack_require__(470);
const { execFileSync } = __webpack_require__(129);
const { sshAgent } = __webpack_require__(972);
const { sshAgentCmd } = __webpack_require__(972);
try {
// Kill the started SSH agent
console.log('Stopping SSH agent');
execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
} catch (error) {
console.log(error.message);
console.log('Error stopping the SSH agent, proceeding anyway');
@@ -2824,23 +2824,21 @@ exports.default = _default;
const os = __webpack_require__(87);
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
home: os.userInfo().homedir,
sshAgent: 'ssh-agent',
sshAdd: 'ssh-add'
homePath: os.userInfo().homedir,
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
home: os.homedir(),
sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};
/***/ })
/******/ });

44
dist/index.js vendored
View File

@@ -322,10 +322,11 @@ const core = __webpack_require__(470);
const child_process = __webpack_require__(129);
const fs = __webpack_require__(747);
const crypto = __webpack_require__(417);
const { home, sshAgent, sshAdd } = __webpack_require__(972);
const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = __webpack_require__(972);
try {
const privateKey = core.getInput('ssh-private-key');
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
if (!privateKey) {
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@@ -333,7 +334,7 @@ try {
return;
}
const homeSsh = home + '/.ssh';
const homeSsh = homePath + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
@@ -348,7 +349,7 @@ try {
const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
// Extract auth socket path and agent pid and set them as job variables
child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
if (matches && matches.length > 0) {
@@ -361,21 +362,22 @@ try {
console.log("Adding private key(s) to agent");
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
});
console.log("Key(s) added:");
child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
console.log('Configuring deployment key(s)');
child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
if (logPublicKey) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
}
return;
}
@@ -384,9 +386,9 @@ try {
fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
const sshConfig = `\nHost key-${sha256}.github.com\n`
+ ` HostName github.com\n`
@@ -2901,23 +2903,21 @@ exports.default = _default;
const os = __webpack_require__(87);
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
home: os.userInfo().homedir,
sshAgent: 'ssh-agent',
sshAdd: 'ssh-add'
homePath: os.userInfo().homedir,
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
home: os.homedir(),
sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};
/***/ })
/******/ });

24
index.js
View File

@@ -2,10 +2,11 @@ const core = require('@actions/core');
const child_process = require('child_process');
const fs = require('fs');
const crypto = require('crypto');
const { home, sshAgent, sshAdd } = require('./paths.js');
const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = require('./paths.js');
try {
const privateKey = core.getInput('ssh-private-key');
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
if (!privateKey) {
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@@ -13,7 +14,7 @@ try {
return;
}
const homeSsh = home + '/.ssh';
const homeSsh = homePath + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
@@ -28,7 +29,7 @@ try {
const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
// Extract auth socket path and agent pid and set them as job variables
child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
if (matches && matches.length > 0) {
@@ -41,21 +42,22 @@ try {
console.log("Adding private key(s) to agent");
privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
});
console.log("Key(s) added:");
child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
console.log('Configuring deployment key(s)');
child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
if (!parts) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
if (logPublicKey) {
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
}
return;
}
@@ -64,9 +66,9 @@ try {
fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
const sshConfig = `\nHost key-${sha256}.github.com\n`
+ ` HostName github.com\n`

2
package.json
View File

@@ -2,7 +2,7 @@
"name": "webfactory-action-ssh-agent",
"repository": "git@github.com:webfactory/ssh-agent.git",
"description": "GitHub Action to set up ssh-agent with a private SSH key",
"version": "0.6.0",
"version": "0.7.0",
"main": "index.js",
"author": "webfactory GmbH <info@webfactory.de>",
"license": "MIT",

20
paths.js
View File

@@ -1,18 +1,16 @@
const os = require('os');
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
home: os.userInfo().homedir,
sshAgent: 'ssh-agent',
sshAdd: 'ssh-add'
homePath: os.userInfo().homedir,
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
home: os.homedir(),
sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};