Run only SSH

.github/workflows/demo.yml

@@ -1,46 +1,45 @@
-on: [ push, pull_request ]
+on: [push, pull_request]
 
 jobs:
     deployment_keys_demo:
+        env:
+            GIT_SSH_COMMAND: ssh -v
         strategy:
             fail-fast: false
             matrix:
-                os: [ ubuntu-latest, macOS-latest, windows-latest ]
+                os: [windows-latest]
         runs-on: ${{ matrix.os }}
         steps:
-            -   uses: actions/checkout@v2
-            -   name: Setup key
-                uses: ./
-                with:
-                    ssh-private-key: |
-                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
-                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
-            -   run: |
-                    git clone https://github.com/mpdude/test-1.git test-1-http
-                    git clone git@github.com:mpdude/test-1.git test-1-git
-                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
-                    git clone https://github.com/mpdude/test-2.git test-2-http
-                    git clone git@github.com:mpdude/test-2.git test-2-git
-                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
-
-    docker_demo:
-        runs-on: ubuntu-latest
-        container:
-            image: ubuntu:latest
-        steps:
-            -   uses: actions/checkout@v2
-            -   run: apt update && apt install -y openssh-client git
-            -   name: Setup key
-                uses: ./
-                with:
-                    ssh-private-key: |
-                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
-                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
-            -   run: |
-                    git clone https://github.com/mpdude/test-1.git test-1-http
-                    git clone git@github.com:mpdude/test-1.git test-1-git
-                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
-                    git clone https://github.com/mpdude/test-2.git test-2-http
-                    git clone git@github.com:mpdude/test-2.git test-2-git
-                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
+            - uses: actions/checkout@v2
+#            - name: Setup key
+#              uses: ./
+#              with:
+#                  ssh-private-key: |
+#                    ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
+#                    ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
+#            - run: |
+#                cat ~/.ssh/config                
+#                ssh-add -l
+#                C:/Windows/System32/OpenSSH/ssh.exe -v git@key-2 'echo octocat'
+            - name: Start SSH session
+              uses: luchihoratiu/debug-via-ssh@main
+              with:
+                NGROK_AUTH_TOKEN: ${{ secrets.NGROK_AUTH_TOKEN }}
+                SSH_PASS: ${{ secrets.SSH_PASS }}
+              
+#                git clone git@github.com:mpdude/test-2.git test-2-git
+#                ls -alh ~/.ssh
+#                git clone https://github.com/mpdude/test-1.git test-1-http
+#                git clone git@github.com:mpdude/test-1.git test-1-git
+#                git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
+#                git clone https://github.com/mpdude/test-2.git test-2-http
 
+#                git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
+                
+#                cat > ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 <<< "${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}"
+#                ssh-keygen -p -f ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 -N secret-passphrase
+#                eval `ssh-agent`
+#                echo "secret-passphrase" | ssh-add ~/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9
+#                ssh-add -L
+#                git clone git@github.com:mpdude/test-2.git test-2-git
+#              shell: bash

CHANGELOG.md

@@ -7,82 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## v0.7.0 [2022-10-19]
-
-### Added
-
- * Add the `log-public-key` input that can be used to turn off logging key identities (#122)
-
-### Fixed
-
- * Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137)
- * Fix a nonsensical log message (#139)
-
-## v0.6.0 [2022-10-19]
-
-### Changed
-
- * Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
-
-## v0.5.4 [2021-11-21]
-
-### Fixed
-
- * Update changed GitHub Host Keys (#102, #101)
-
-### Changed
-
- * Various documentation (README) improvements and additions
- * Change logging to more precisely state that _public_ keys are being printed
-
-## v0.5.3 [2021-06-11]
-
-### Fixed
-
- * Fixed cleanup phase to really terminate the ssh-agent (#80)
- * Fix termination of ssh-agent also on workflow failure (#79)
-
-### Changed
-
- * Various documentation (README) improvements and additions
-
-## v0.5.2 [2021-04-07]
-
-### Fixed
-
- * Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
-
-### Changed
-
- * Log when a key is _not_ used as a deploy key (#69)
-
-## v0.5.1 [2021-03-10]
-
-### Fixed
-
- * Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
-   suite, terminate ssh-agent upon actio termination on Windows as well (#63)
- * Handle ENOENT exceptions with a graceful message
-
-### Changed
-
- * Various documentation (README) improvements and additions
-
-## v0.5.0 [2021-02-19]
-
-### Added
-
- * Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
- * Support for container-based workflows and Windows (#17)
-
-### Fixed
-
- * Fix scripts/build.js to work on Windows (#38)
-
-### Changed
-
- * Various documentation (README) improvements and additions
-
 ## v0.4.1 [2020-10-07]
 
 ### Fixed

README.md

@@ -20,14 +20,11 @@ GitHub Actions only have access to the repository they run for. So, in order to
 
 ## Usage
 
-1. Generate a new SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
+1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See below for a few hints if you are unsure about this step.
 2. Make sure you don't have a passphrase set on the private key.
-3. Add the public SSH key to the private repository you are pulling from during the Github Action as a 'Deploy Key'.
-4. Add the private SSH key to the repository triggering the Github Action: 
-    * In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. 
-    * Put the contents of the *private* SSH key file into the contents field. <br>
-    * This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 
-5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
+3. In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the *private* SSH key file into the contents field. <br>
+  This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 
+4. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
 
 ```yaml
 # .github/workflows/my-workflow.yml
@@ -36,9 +33,9 @@ jobs:
         ...
         steps:
             - actions/checkout@v2
-            # Make sure the @v0.6.0 matches the current version of the
+            # Make sure the @v0.5.0 matches the current version of the
             # action 
-            - uses: webfactory/ssh-agent@v0.6.0
+            - uses: webfactory/ssh-agent@v0.5.0
               with:
                   ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
             - ... other steps
@@ -53,7 +50,7 @@ You can set up different keys as different secrets and pass them all to the acti
 
 ```yaml
 # ... contens as before
-            - uses: webfactory/ssh-agent@v0.6.0
+            - uses: webfactory/ssh-agent@v0.5.0
               with:
                   ssh-private-key: |
                         ${{ secrets.FIRST_KEY }}
@@ -71,21 +68,12 @@ When using **Github deploy keys**, GitHub servers will accept the _first_ known
 
 To support picking the right key in this use case, this action scans _key comments_ and will set up extra Git and SSH configuration to make things work.
 
-1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment. (Hint: Try `ssh-keygen ... -C "git@github.com:owner/repo.git"`.)
+1. When creating the deploy key for a repository like `git@github.com:owner/repo.git` or `https://github.com/owner/repo`, put that URL into the key comment.
 2. After keys have been added to the agent, this action will scan the key comments. 
 3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
 4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
 
-## Action Inputs
-
-The following inputs can be used to control the action's behavior:
-
-* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
-* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
-* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
-
 ## Exported variables
-
 The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
 The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
 The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
@@ -102,89 +90,6 @@ If the private key is not in the `PEM` format, you will see an `Error loading ke
 
 Use `ssh-keygen -p -f path/to/your/key -m pem` to convert your key file to `PEM`, but be sure to make a backup of the file first 😉.
 
-## Additional Information for Particular Tools or Platforms
-
-If you know that your favorite tool or platform of choice requires extra tweaks or has some caveats when running with SSH, feel free to open a PR to amend this section here.
-
-### Container-based Workflows
-
-If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
-
-### Using the `docker/build-push-action` Action
-
-If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
-
-```yml
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          ssh: |
-            default=${{ env.SSH_AUTH_SOCK }}
-```
-
-### Using the `docker/build-push-action` Action together with multiple Deploy Keys
-
-If you use the `docker/build-push-action` and want to use multiple GitHub deploy keys, you need to copy the git and ssh configuration to the container during the build. Otherwise, the Docker build process would still not know how to handle multiple deploy keys. Even if the ssh agent was set up correctly on the runner.
-
-This requires an additional step in the actions workflow and two additional lines in the Dockerfile.
-
-Workflow:
-```yml
-      - name: Prepare git and ssh config for build context
-        run: |
-          mkdir root-config
-          cp -r ~/.gitconfig  ~/.ssh root-config/
-  
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          ssh: |
-            default=${{ env.SSH_AUTH_SOCK }}
-```
-
-Dockerfile:
-```Dockerfile
-COPY root-config /root/
-RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
-```
-
-Have in mind that the Dockerfile now contains customized git and ssh configurations. If you don't want that in your final image, use multi-stage builds.
-
-
-### Cargo's (Rust) Private Dependencies on Windows
-
-If you are using private repositories in your dependencies like this:
-
-```
-stuff = { git = "ssh://git@github.com/myorg/stuff.git", branch = "main" }
-```
-
-... you will need to change a configuration in the workflow for Windows machines in order to make cargo able to clone private repositories.
-
-There are 2 ways you can achieve this:
-
-1. Add this step once in your job **before** any cargo command:
-
-```
-      - name: Update cargo config to use Git CLI
-        run: Set-Content -Path $env:USERPROFILE\.cargo\config.toml "[net]`ngit-fetch-with-cli = true"
-```
-
-This will configure Cargo to use the Git CLI as explained in the [Cargo's documentation](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli).
-
-2. Alternatively you can set it to the environment variables for the entire workflow:
-
-```
-env:
-  CARGO_NET_GIT_FETCH_WITH_CLI: true
-```
-
-### Using Deploy Keys with Swift Package Manager
-
-`xcodebuild` by default uses Xcode's built-in Git tooling. If you want to use GitHub Deploy Keys as supported by this action, however, that version of Git will lack the necessary URL remapping. In this case, pass `-scmProvider system` to the `xcodebuild` command, as mentioned in [Apple's documentation](https://developer.apple.com/documentation/swift_packages/building_swift_packages_or_apps_that_use_them_in_continuous_integration_workflows#3680255).
-
 ## What this Action *cannot* do for you
 
 The following items are not issues, but beyond what this Action is supposed to do.
@@ -195,7 +100,7 @@ When using `ssh` to connect from the GitHub Action worker node to another machin
 
 ### Provide the SSH Key as a File
 
-This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see https://github.com/webfactory/ssh-agent/issues/11).
+This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11).
 
 ### Run `ssh-keyscan` to Add Host Keys for Additional Hosts
 
@@ -206,7 +111,7 @@ As a side note, using `ssh-keyscan` without proper key verification is susceptib
 ## Creating SSH Keys
 
 In order to create a new SSH key, run `ssh-keygen -t ed25519 -a 100 -f path/to/keyfile`, as suggested in [this blog post](https://stribika.github.io/2015/01/04/secure-secure-shell.html). 
-If you need to work with some older server software and need RSA keys, try `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
+If you need to work with some older server software and need RSA keys, tr `ssh-keygen -t rsa -b 4096 -o -f path/to/keyfile` instead.
 
 Both commands will prompt you for a key passphrase and save the key in `path/to/keyfile`.
 In general, having a passphrase is a good thing, since it will keep the key encrypted on your disk. When using the key with this action, however, you need to make sure you don't 
@@ -258,4 +163,4 @@ developer looking for new challenges, we'd like to hear from you!
 - <https://www.webfactory.de>
 - <https://twitter.com/webfactory>
 
-Copyright 2019 – 2022 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
+Copyright 2019 – 2021 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

action.yml

@@ -6,15 +6,10 @@ inputs:
         required: true
     ssh-auth-sock:
         description: 'Where to place the SSH Agent auth socket'
-    log-public-key:
-        description: 'Whether or not to log public key fingerprints'
-        required: false
-        default: true
 runs:
-    using: 'node16'
+    using: 'node12'
     main: 'dist/index.js'
     post: 'dist/cleanup.js'
-    post-if: 'always()'
 branding:
     icon: loader
     color: 'yellow'

askpass.c

@@ -0,0 +1,24 @@
+/*
+    ssh-add on Windows (probably part of the source at https://github.com/PowerShell/openssh-portable)
+    does not/can not read the passphrase from stdin.
+    
+    However, when the DISPLAY env var is set and ssh-add is not run from a terminal (however it tests
+    that), it will run the executable pointed to by SSH_ASKPASS in a subprocess and read the passphrase
+    from that subprocess' stdout.
+    
+    This program can be used as the SSH_ASKPASS implementation. It will return the passphrase set
+    in the SSH_PASS env variable.
+    
+    To cross-compile from Ubuntu, I installed the `mingw-w64` package and ran
+    $ x86_64-w64-mingw32-gcc askpass.c -static -o askpass.exe
+*/    
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(int argc, char** argv)
+{
+    printf("%s\n", getenv("SSH_PASS"));
+
+    return 0;
+}

cleanup.js

@@ -1,11 +1,10 @@
-const core = require('@actions/core');
-const { execFileSync } = require('child_process');
-const { sshAgentCmd } = require('./paths.js');
+const core = require('@actions/core')
+const { execSync } = require('child_process')
 
 try {
     // Kill the started SSH agent
-    console.log('Stopping SSH agent');
-    execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
+    console.log('Stopping SSH agent')
+    execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' })
 } catch (error) {
     console.log(error.message);
     console.log('Error stopping the SSH agent, proceeding anyway');

index.js

@@ -1,12 +1,12 @@
 const core = require('@actions/core');
 const child_process = require('child_process');
 const fs = require('fs');
-const crypto = require('crypto');
-const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = require('./paths.js');
+const os = require('os');
+const token = require('crypto').randomBytes(64).toString('hex');
+const isWindows = (process.env['OS'] == 'Windows_NT');
 
 try {
     const privateKey = core.getInput('ssh-private-key');
-    const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
 
     if (!privateKey) {
         core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@@ -14,78 +14,112 @@ try {
         return;
     }
 
-    const homeSsh = homePath + '/.ssh';
+    var home;
 
-    console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
+    if (isWindows) {
+        console.log('Preparing ssh-agent service on Windows');
+        child_process.execSync('sc config ssh-agent start=demand', { stdio: 'inherit' });
 
-    fs.mkdirSync(homeSsh, { recursive: true });
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
+        // Work around https://github.com/PowerShell/openssh-portable/pull/447 by creating a \dev\tty file
+        /*fs.mkdirSync('c:\\dev');
+        fs.closeSync(fs.openSync('c:\\dev\\tty', 'a'));
+        fs.mkdirSync('d:\\dev');
+        fs.closeSync(fs.openSync('d:\\dev\\tty', 'a'));*/
 
-    console.log("Starting ssh-agent");
-
-    const authSock = core.getInput('ssh-auth-sock');
-    const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
-
-    // Extract auth socket path and agent pid and set them as job variables
-    child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
-        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
-
-        if (matches && matches.length > 0) {
-            // This will also set process.env accordingly, so changes take effect for this script
-            core.exportVariable(matches[1], matches[2])
-            console.log(`${matches[1]}=${matches[2]}`);
-        }
-    });
-
-    console.log("Adding private key(s) to agent");
-
-    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
-        child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
-    });
-
-    console.log("Key(s) added:");
-
-    child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
-
-    console.log('Configuring deployment key(s)');
-
-    child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
-        const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
-
-        if (!parts) {
-            if (logPublicKey) {
-              console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
-            }
-            return;
-        }
-
-        const sha256 = crypto.createHash('sha256').update(key).digest('hex');
-        const ownerAndRepo = parts[1].replace(/\.git$/, '');
-
-        fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
-
-        child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
-        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
-        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
-
-        const sshConfig = `\nHost key-${sha256}.github.com\n`
-                              + `    HostName github.com\n`
-                              + `    IdentityFile ${homeSsh}/key-${sha256}\n`
-                              + `    IdentitiesOnly yes\n`;
-
-        fs.appendFileSync(`${homeSsh}/config`, sshConfig);
-
-        console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for GitHub repository ${ownerAndRepo}`);
-    });
-
-} catch (error) {
-
-    if (error.code == 'ENOENT') {
-        console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
-        console.log(`PATH is set to: ${process.env.PATH}`);
+        home = os.homedir();
+    } else {
+        // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
+        // Action runs, where $HOME is different from the pwent
+        var { homedir: home } = os.userInfo();
     }
 
+    const homeSsh = home + '/.ssh';
+
+    console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
+    fs.mkdirSync(homeSsh, { recursive: true });
+    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
+    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n');
+
+    console.log("Starting ssh-agent");
+    const authSock = core.getInput('ssh-auth-sock');
+    let sshAgentOutput = ''
+    if (authSock && authSock.length > 0) {
+        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
+    } else {
+        sshAgentOutput = child_process.execFileSync('ssh-agent')
+    }
+
+    // Extract auth socket path and agent pid and set them as job variables
+    const lines = sshAgentOutput.toString().split("\n")
+    for (const lineNumber in lines) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
+        if (matches && matches.length > 0) {
+            core.exportVariable(matches[1], matches[2])
+        }
+    }
+
+    console.log("Adding private keys to agent");
+    var keyNumber = 0;
+
+    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
+        ++keyNumber;
+        let keyFile = `${homeSsh}/key_${keyNumber}`;
+
+        // Write private key (unencrypted!) to file
+        console.log(`Write file ${keyFile}`);
+        fs.writeFileSync(keyFile, key.replace("\r\n", "\n").trim() + "\n", { mode: '600' });
+
+        // Set private key passphrase
+        let output = '';
+        try {
+            console.log(`Set passphrase on ${keyFile}`);
+            output = child_process.execFileSync('ssh-keygen', ['-p', '-f', keyFile, '-N', token]);
+        } catch (exception) {
+            fs.unlinkSync(keyFile);
+            
+            throw exception;
+        }
+
+        // Load key into agent
+        if (isWindows) {
+            child_process.execFileSync('ssh-add', [keyFile], { env: { ...process.env, ...{ 'DISPLAY': 'fake', 'SSH_PASS': token, 'SSH_ASKPASS': 'D:\\a\\ssh-agent\\ssh-agent\\askpass.exe' } } });
+        } else {
+            child_process.execFileSync('ssh-add', [keyFile], { env: process.env, input: token });
+        }
+        
+        output.toString().split(/\r?\n/).forEach(function(key) {
+            let parts = key.match(/^Key has comment '.*\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+?)(?=\.git|\s|\')/);
+
+            if (parts == null) {
+                return;
+            }
+
+            let ownerAndRepo = parts[1];
+
+            child_process.execSync(`git config --global --replace-all url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
+            child_process.execSync(`git config --global --add url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
+            child_process.execSync(`git config --global --add url."git@key-${keyNumber}:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
+
+            // On Linux and OS X, IdentitiesOnly=no will send all keys from agent before the explicit key, so use "yes".
+            // On Windows, IdentitiesOnly=yes will ignore keys from the agent, but send explicit keys first; so use "no" (https://github.com/PowerShell/Win32-OpenSSH/issues/1550)
+            //let identitiesOnly = isWindows ? 'no' : 'yes';
+            
+            let sshConfig = `\nHost key-${keyNumber}\n`
+                                  + `    HostName github.com\n`
+                                  + `    User git\n`
+                                  + `    IdentitiesOnly yes\n`
+                                  + `    AddKeysToAgent yes\n`
+                                  + `    IdentityFile ${keyFile}\n`;
+
+            fs.appendFileSync(`${homeSsh}/config`, sshConfig);
+
+            console.log(`Added deploy-key mapping: Use key #${keyNumber} for GitHub repository ${ownerAndRepo}`);
+        });
+    });
+
+    console.log("Keys added:");
+    child_process.execSync('ssh-add -l', { stdio: 'inherit' });
+
+} catch (error) {
     core.setFailed(error.message);
 }

package.json

@@ -2,12 +2,12 @@
     "name": "webfactory-action-ssh-agent",
     "repository": "git@github.com:webfactory/ssh-agent.git",
     "description": "GitHub Action to set up ssh-agent with a private SSH key",
-    "version": "0.7.0",
+    "version": "0.1.0",
     "main": "index.js",
     "author": "webfactory GmbH <info@webfactory.de>",
     "license": "MIT",
     "devDependencies": {
-        "@actions/core": "^1.9.1",
+        "@actions/core": "^1.2.4",
         "@zeit/ncc": "^0.20.5"
     },
     "scripts": {

paths.js

@@ -1,16 +0,0 @@
-const os = require('os');
-
-module.exports = (process.env['OS'] != 'Windows_NT') ? {
-    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
-    // Action runs, where $HOME is different from the pwent
-    homePath: os.userInfo().homedir,
-    sshAgentCmd: 'ssh-agent',
-    sshAddCmd: 'ssh-add',
-    gitCmd: 'git'
-} : {
-    // Assuming GitHub hosted `windows-*` runners for now
-    homePath: os.homedir(),
-    sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
-    sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
-    gitCmd: 'c://progra~1//git//bin//git.exe'
-};

yarn.lock

@@ -2,32 +2,12 @@
 # yarn lockfile v1
 
 
-"@actions/core@^1.9.1":
-  "integrity" "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA=="
-  "resolved" "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz"
-  "version" "1.9.1"
-  dependencies:
-    "@actions/http-client" "^2.0.1"
-    "uuid" "^8.3.2"
-
-"@actions/http-client@^2.0.1":
-  "integrity" "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw=="
-  "resolved" "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz"
-  "version" "2.0.1"
-  dependencies:
-    "tunnel" "^0.0.6"
+"@actions/core@^1.2.4":
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09"
+  integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==
 
 "@zeit/ncc@^0.20.5":
-  "integrity" "sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw=="
-  "resolved" "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.20.5.tgz"
-  "version" "0.20.5"
-
-"tunnel@^0.0.6":
-  "integrity" "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
-  "resolved" "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz"
-  "version" "0.0.6"
-
-"uuid@^8.3.2":
-  "integrity" "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
-  "resolved" "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz"
-  "version" "8.3.2"
+  version "0.20.5"
+  resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.20.5.tgz#a41af6e6bcab4a58f4612bae6137f70bce0192e3"
+  integrity sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==