Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27)

Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts.
2025-06-28 05:33:45 +00:00 · 2020-05-18 09:08:29 +02:00 · 2020-05-18 09:08:29 +02:00 · 4fcb25e7ef
commit 4fcb25e7ef
parent a82ae3cd1a
9 changed files with 424 additions and 20 deletions
--- a/index.js
+++ b/index.js
@ -22,8 +22,21 @@ try {

    console.log("Starting ssh-agent");
    const authSock = core.getInput('ssh-auth-sock');
-    child_process.execFileSync('ssh-agent', ['-a', authSock]);
-    core.exportVariable('SSH_AUTH_SOCK', authSock);
+    let sshAgentOutput = ''
+    if (authSock && authSock.length > 0) {
+        sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]);
+    } else {
+        sshAgentOutput = child_process.execFileSync('ssh-agent')
+    }
+
+    // Extract auth socket path and agent pid and set them as job variables
+    const lines = sshAgentOutput.toString().split("\n")
+    for (const lineNumber in lines) {
+        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber])
+        if (matches && matches.length > 0) {
+            core.exportVariable(matches[1], matches[2])
+        }
+    }

    console.log("Adding private key to agent");
    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {