From 0a38ab092644d38c804058b34ce188a319bacee7 Mon Sep 17 00:00:00 2001 From: Benjamin Borowski Date: Mon, 2 Mar 2020 16:41:12 -0800 Subject: [PATCH 1/9] style: lint just reviewing and noticed a missing space --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 8490d93..e141876 100644 --- a/index.js +++ b/index.js @@ -16,7 +16,7 @@ try { } console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); - fs.mkdirSync(homeSsh, { recursive: true}); + fs.mkdirSync(homeSsh, { recursive: true }); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n'); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n'); From a3b3049f433c20313243d6448726ab202d0020d3 Mon Sep 17 00:00:00 2001 From: Jan Pieter Waagmeester Date: Tue, 31 Mar 2020 12:23:36 +0200 Subject: [PATCH 2/9] add omitted 'key' word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ae8f836..df220e1 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ When using `ssh` to connect from the GitHub Action worker node to another machin ### Provide the SSH key as a file -This Action is designed to pass the SSH directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11). +This Action is designed to pass the SSH key directly into `ssh-agent`; that is, the key is available in memory on the GitHub Action worker node, but never written to disk. As a consequence, you _cannot_ pass the key as a build argument or a mounted file into Docker containers that you build or run on the worker node. You _can_, however, mount the `ssh-agent` Unix socket into a Docker container that you _run_, set up the `SSH_AUTH_SOCK` env var and then use SSH from within the container (see #11). ### Run `ssh-keyscan` to add host keys for additional hosts From 4fcb25e7ef89d0ad885e957928ddfe0a78aad59e Mon Sep 17 00:00:00 2001 From: Thorben Nissen Date: Mon, 18 May 2020 09:08:29 +0200 Subject: [PATCH 3/9] Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27) Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts. --- README.md | 7 +- action.yml | 2 +- cleanup.js | 10 ++ dist/cleanup.js | 332 ++++++++++++++++++++++++++++++++++++++++++++++ dist/index.js | 21 ++- index.js | 17 ++- package-lock.json | 12 +- package.json | 8 +- scripts/build.js | 35 +++++ 9 files changed, 424 insertions(+), 20 deletions(-) create mode 100644 cleanup.js create mode 100644 dist/cleanup.js create mode 100644 scripts/build.js diff --git a/README.md b/README.md index df220e1..ac87662 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,11 @@ The `ssh-agent` will load all of the keys and try each one in order when establi There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. +## Exported variables +The action exports `SSH_AUTH_SOCK` and `SSH_AGENT_PID` through the Github Actions core module. +The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent. +The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action. + ## Known issues and limitations ### Currently OS X and Linux only @@ -116,7 +121,7 @@ As a note to my future self, in order to work on this repo: * Run `npm install` to fetch dependencies * _hack hack hack_ * `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased. Use `env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js` for this action. -* Run `./node_modules/.bin/ncc build index.js` to update `dist/index.js`, which is the file actually run +* Run `npm run build` to update `dist/*`, which holds the files actually run * Read https://help.github.com/en/articles/creating-a-javascript-action if unsure. * Maybe update the README example when publishing a new version. diff --git a/action.yml b/action.yml index bdeeaa6..e43c44f 100644 --- a/action.yml +++ b/action.yml @@ -6,10 +6,10 @@ inputs: required: true ssh-auth-sock: description: 'Where to place the SSH Agent auth socket' - default: /tmp/ssh-auth.sock runs: using: 'node12' main: 'dist/index.js' + post: 'dist/cleanup.js' branding: icon: loader color: 'yellow' diff --git a/cleanup.js b/cleanup.js new file mode 100644 index 0000000..89955a6 --- /dev/null +++ b/cleanup.js @@ -0,0 +1,10 @@ +const core = require('@actions/core') +const { execSync } = require('child_process') + +try { + // Kill the started SSH agent + console.log('Stopping SSH agent') + execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' }) +} catch (error) { + core.setFailed(error.message) +} diff --git a/dist/cleanup.js b/dist/cleanup.js new file mode 100644 index 0000000..a678e24 --- /dev/null +++ b/dist/cleanup.js @@ -0,0 +1,332 @@ +module.exports = +/******/ (function(modules, runtime) { // webpackBootstrap +/******/ "use strict"; +/******/ // The module cache +/******/ var installedModules = {}; +/******/ +/******/ // The require function +/******/ function __webpack_require__(moduleId) { +/******/ +/******/ // Check if module is in cache +/******/ if(installedModules[moduleId]) { +/******/ return installedModules[moduleId].exports; +/******/ } +/******/ // Create a new module (and put it into the cache) +/******/ var module = installedModules[moduleId] = { +/******/ i: moduleId, +/******/ l: false, +/******/ exports: {} +/******/ }; +/******/ +/******/ // Execute the module function +/******/ modules[moduleId].call(module.exports, module, module.exports, __webpack_require__); +/******/ +/******/ // Flag the module as loaded +/******/ module.l = true; +/******/ +/******/ // Return the exports of the module +/******/ return module.exports; +/******/ } +/******/ +/******/ +/******/ __webpack_require__.ab = __dirname + "/"; +/******/ +/******/ // the startup function +/******/ function startup() { +/******/ // Load entry module and return exports +/******/ return __webpack_require__(175); +/******/ }; +/******/ +/******/ // run startup +/******/ return startup(); +/******/ }) +/************************************************************************/ +/******/ ({ + +/***/ 87: +/***/ (function(module) { + +module.exports = require("os"); + +/***/ }), + +/***/ 129: +/***/ (function(module) { + +module.exports = require("child_process"); + +/***/ }), + +/***/ 175: +/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) { + +const core = __webpack_require__(470) +const { execSync } = __webpack_require__(129) + +try { + // Kill the started SSH agent + console.log('Stopping SSH agent') + execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' }) +} catch (error) { + core.setFailed(error.message) +} + + +/***/ }), + +/***/ 431: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +Object.defineProperty(exports, "__esModule", { value: true }); +const os = __webpack_require__(87); +/** + * Commands + * + * Command Format: + * ##[name key=value;key=value]message + * + * Examples: + * ##[warning]This is the user warning message + * ##[set-secret name=mypassword]definitelyNotAPassword! + */ +function issueCommand(command, properties, message) { + const cmd = new Command(command, properties, message); + process.stdout.write(cmd.toString() + os.EOL); +} +exports.issueCommand = issueCommand; +function issue(name, message = '') { + issueCommand(name, {}, message); +} +exports.issue = issue; +const CMD_PREFIX = '##['; +class Command { + constructor(command, properties, message) { + if (!command) { + command = 'missing.command'; + } + this.command = command; + this.properties = properties; + this.message = message; + } + toString() { + let cmdStr = CMD_PREFIX + this.command; + if (this.properties && Object.keys(this.properties).length > 0) { + cmdStr += ' '; + for (const key in this.properties) { + if (this.properties.hasOwnProperty(key)) { + const val = this.properties[key]; + if (val) { + // safely append the val - avoid blowing up when attempting to + // call .replace() if message is not a string for some reason + cmdStr += `${key}=${escape(`${val || ''}`)};`; + } + } + } + } + cmdStr += ']'; + // safely append the message - avoid blowing up when attempting to + // call .replace() if message is not a string for some reason + const message = `${this.message || ''}`; + cmdStr += escapeData(message); + return cmdStr; + } +} +function escapeData(s) { + return s.replace(/\r/g, '%0D').replace(/\n/g, '%0A'); +} +function escape(s) { + return s + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A') + .replace(/]/g, '%5D') + .replace(/;/g, '%3B'); +} +//# sourceMappingURL=command.js.map + +/***/ }), + +/***/ 470: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", { value: true }); +const command_1 = __webpack_require__(431); +const path = __webpack_require__(622); +/** + * The code to exit an action + */ +var ExitCode; +(function (ExitCode) { + /** + * A code indicating that the action was successful + */ + ExitCode[ExitCode["Success"] = 0] = "Success"; + /** + * A code indicating that the action was a failure + */ + ExitCode[ExitCode["Failure"] = 1] = "Failure"; +})(ExitCode = exports.ExitCode || (exports.ExitCode = {})); +//----------------------------------------------------------------------- +// Variables +//----------------------------------------------------------------------- +/** + * sets env variable for this action and future actions in the job + * @param name the name of the variable to set + * @param val the value of the variable + */ +function exportVariable(name, val) { + process.env[name] = val; + command_1.issueCommand('set-env', { name }, val); +} +exports.exportVariable = exportVariable; +/** + * exports the variable and registers a secret which will get masked from logs + * @param name the name of the variable to set + * @param val value of the secret + */ +function exportSecret(name, val) { + exportVariable(name, val); + // the runner will error with not implemented + // leaving the function but raising the error earlier + command_1.issueCommand('set-secret', {}, val); + throw new Error('Not implemented.'); +} +exports.exportSecret = exportSecret; +/** + * Prepends inputPath to the PATH (for this action and future actions) + * @param inputPath + */ +function addPath(inputPath) { + command_1.issueCommand('add-path', {}, inputPath); + process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; +} +exports.addPath = addPath; +/** + * Gets the value of an input. The value is also trimmed. + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns string + */ +function getInput(name, options) { + const val = process.env[`INPUT_${name.replace(' ', '_').toUpperCase()}`] || ''; + if (options && options.required && !val) { + throw new Error(`Input required and not supplied: ${name}`); + } + return val.trim(); +} +exports.getInput = getInput; +/** + * Sets the value of an output. + * + * @param name name of the output to set + * @param value value to store + */ +function setOutput(name, value) { + command_1.issueCommand('set-output', { name }, value); +} +exports.setOutput = setOutput; +//----------------------------------------------------------------------- +// Results +//----------------------------------------------------------------------- +/** + * Sets the action status to failed. + * When the action exits it will be with an exit code of 1 + * @param message add error issue message + */ +function setFailed(message) { + process.exitCode = ExitCode.Failure; + error(message); +} +exports.setFailed = setFailed; +//----------------------------------------------------------------------- +// Logging Commands +//----------------------------------------------------------------------- +/** + * Writes debug message to user log + * @param message debug message + */ +function debug(message) { + command_1.issueCommand('debug', {}, message); +} +exports.debug = debug; +/** + * Adds an error issue + * @param message error issue message + */ +function error(message) { + command_1.issue('error', message); +} +exports.error = error; +/** + * Adds an warning issue + * @param message warning issue message + */ +function warning(message) { + command_1.issue('warning', message); +} +exports.warning = warning; +/** + * Begin an output group. + * + * Output until the next `groupEnd` will be foldable in this group + * + * @param name The name of the output group + */ +function startGroup(name) { + command_1.issue('group', name); +} +exports.startGroup = startGroup; +/** + * End an output group. + */ +function endGroup() { + command_1.issue('endgroup'); +} +exports.endGroup = endGroup; +/** + * Wrap an asynchronous function call in a group. + * + * Returns the same type as the function itself. + * + * @param name The name of the group + * @param fn The function to wrap in the group + */ +function group(name, fn) { + return __awaiter(this, void 0, void 0, function* () { + startGroup(name); + let result; + try { + result = yield fn(); + } + finally { + endGroup(); + } + return result; + }); +} +exports.group = group; +//# sourceMappingURL=core.js.map + +/***/ }), + +/***/ 622: +/***/ (function(module) { + +module.exports = require("path"); + +/***/ }) + +/******/ }); \ No newline at end of file diff --git a/dist/index.js b/dist/index.js index 5ee5d2f..f7a65cd 100644 --- a/dist/index.js +++ b/dist/index.js @@ -62,7 +62,7 @@ try { const home = process.env['HOME']; const homeSsh = home + '/.ssh'; - const privateKey = core.getInput('ssh-private-key').trim(); + const privateKey = core.getInput('ssh-private-key'); if (!privateKey) { core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); @@ -71,14 +71,27 @@ try { } console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); - fs.mkdirSync(homeSsh, { recursive: true}); + fs.mkdirSync(homeSsh, { recursive: true }); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n'); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n'); console.log("Starting ssh-agent"); const authSock = core.getInput('ssh-auth-sock'); - child_process.execFileSync('ssh-agent', ['-a', authSock]); - core.exportVariable('SSH_AUTH_SOCK', authSock); + let sshAgentOutput = '' + if (authSock && authSock.length > 0) { + sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]); + } else { + sshAgentOutput = child_process.execFileSync('ssh-agent') + } + + // Extract auth socket path and agent pid and set them as job variables + const lines = sshAgentOutput.toString().split("\n") + for (const lineNumber in lines) { + const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber]) + if (matches && matches.length > 0) { + core.exportVariable(matches[1], matches[2]) + } + } console.log("Adding private key to agent"); privateKey.split(/(?=-----BEGIN)/).forEach(function(key) { diff --git a/index.js b/index.js index e141876..7ee6fe7 100644 --- a/index.js +++ b/index.js @@ -22,8 +22,21 @@ try { console.log("Starting ssh-agent"); const authSock = core.getInput('ssh-auth-sock'); - child_process.execFileSync('ssh-agent', ['-a', authSock]); - core.exportVariable('SSH_AUTH_SOCK', authSock); + let sshAgentOutput = '' + if (authSock && authSock.length > 0) { + sshAgentOutput = child_process.execFileSync('ssh-agent', ['-a', authSock]); + } else { + sshAgentOutput = child_process.execFileSync('ssh-agent') + } + + // Extract auth socket path and agent pid and set them as job variables + const lines = sshAgentOutput.toString().split("\n") + for (const lineNumber in lines) { + const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(lines[lineNumber]) + if (matches && matches.length > 0) { + core.exportVariable(matches[1], matches[2]) + } + } console.log("Adding private key to agent"); privateKey.split(/(?=-----BEGIN)/).forEach(function(key) { diff --git a/package-lock.json b/package-lock.json index 829664d..12699b6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5,9 +5,9 @@ "requires": true, "dependencies": { "@actions/core": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.1.0.tgz", - "integrity": "sha512-KKpo3xzo0Zsikni9tbOsEQkxZBGDsYSJZNkTvmo0gPSXrc98TBOcdTvKwwjitjkjHkreTggWdB1ACiAFVgsuzA==", + "version": "1.2.4", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.4.tgz", + "integrity": "sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg==", "dev": true }, "@zeit/ncc": { @@ -15,12 +15,6 @@ "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.20.5.tgz", "integrity": "sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==", "dev": true - }, - "child_process": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/child_process/-/child_process-1.0.2.tgz", - "integrity": "sha1-sffn/HPSXn/R1FWtyU4UODAYK1o=", - "dev": true } } } diff --git a/package.json b/package.json index 35a0c5c..bb68cef 100644 --- a/package.json +++ b/package.json @@ -7,8 +7,10 @@ "author": "webfactory GmbH ", "license": "MIT", "devDependencies": { - "@actions/core": "^1.1.0", - "@zeit/ncc": "^0.20.5", - "child_process": "^1.0.2" + "@actions/core": "^1.2.4", + "@zeit/ncc": "^0.20.5" + }, + "scripts": { + "build": "node scripts/build.js" } } diff --git a/scripts/build.js b/scripts/build.js new file mode 100644 index 0000000..eecd192 --- /dev/null +++ b/scripts/build.js @@ -0,0 +1,35 @@ +const { execSync } = require('child_process') +const path = require('path') +const fs = require('fs') + +const buildDir = path.join(process.cwd(), 'build') +const distDir = path.join(process.cwd(), 'dist') + +const buildIndexJs = path.join(buildDir, 'index.js') +const distIndexJs = path.join(distDir, 'index.js') +const distCleanupJs = path.join(distDir, 'cleanup.js') + +if (!fs.existsSync(buildDir)) { + fs.mkdirSync(buildDir) +} + +// Build the main index.js file +console.log('Building index.js...') +execSync(`./node_modules/.bin/ncc build index.js -q -o ${buildDir}`) +if (fs.existsSync(distIndexJs)) { + fs.unlinkSync(distIndexJs) +} +fs.renameSync(buildIndexJs, distIndexJs) + +// Build the cleanup.js file +console.log('Building cleanup.js...') +execSync(`./node_modules/.bin/ncc build cleanup.js -q -o ${buildDir}`) +if (fs.existsSync(distCleanupJs)) { + fs.unlinkSync(distCleanupJs) +} +fs.renameSync(buildIndexJs, distCleanupJs) + +console.log('Cleaning up...') +fs.rmdirSync(buildDir) + +console.log('Done') From 8789658b02527d79b3939a5bfc202ea55f91ab32 Mon Sep 17 00:00:00 2001 From: Adam Dobrawy Date: Fri, 5 Jun 2020 06:45:30 +0200 Subject: [PATCH 4/9] Update actions version in examples (#29) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ac87662..bf9fb13 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ jobs: ... steps: - actions/checkout@v1 - # Make sure the @v0.2.0 matches the current version of the + # Make sure the @v0.3.0 matches the current version of the # action - - uses: webfactory/ssh-agent@v0.2.0 + - uses: webfactory/ssh-agent@v0.3.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - ... other steps @@ -44,7 +44,7 @@ In that case, you can set-up the different keys as multiple secrets and pass the ```yaml # ... contens as before - - uses: webfactory/ssh-agent@v0.2.0 + - uses: webfactory/ssh-agent@v0.3.0 with: ssh-private-key: | ${{ secrets.FIRST_KEY }} From 5ef9e0334a9b8bcfe6bab2d1c15d6f2ebd5a5c8c Mon Sep 17 00:00:00 2001 From: Ryan Zidago <46972947+ryanzidago@users.noreply.github.com> Date: Tue, 23 Jun 2020 12:56:50 +0200 Subject: [PATCH 5/9] updated README.md to including further instructions regarding where to add deploy key (#34) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bf9fb13..cac624b 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ specify a passphrase: The key must be usable without reading the passphrase from To actually grant the SSH key access, you can – on GitHub – use at least two ways: -* [Deploy keys](https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys) can be added to individual GitHub repositories. They can give read and/or write access to the particular repository. When pulling a lot of dependencies, however, you'll end up adding the key in many places. Rotating the key probably becomes difficult. +* [Deploy keys](https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys) can be added to individual GitHub repositories. They can give read and/or write access to the particular repository. When pulling a lot of dependencies, however, you'll end up adding the key in many places. Rotating the key probably becomes difficult. The deploy key needs to be added to the private repository that is being fetched as a private dependency. * A [machine user](https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users) can be used for more fine-grained permissions management and have access to multiple repositories with just one instance of the key being registered. It will, however, count against your number of users on paid GitHub plans. From ef0ce0cab8e3ad0aa0f3e1fb209b0811b68c0c51 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Wed, 24 Jun 2020 08:31:28 +0200 Subject: [PATCH 6/9] Ignore failures when trying to kill the `ssh-agent` (#33) --- CHANGELOG.md | 22 ++++++- README.md | 12 ++-- cleanup.js | 3 +- dist/cleanup.js | 165 ++++++++++++++++++++++++++++++++++------------ dist/index.js | 162 +++++++++++++++++++++++++++++++++------------ package-lock.json | 20 ------ yarn.lock | 13 ++++ 7 files changed, 286 insertions(+), 111 deletions(-) delete mode 100644 package-lock.json create mode 100644 yarn.lock diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b560e3..c297211 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -## v0.2.0 +## v0.4.0 + +### Changed + +* A failure to kill the agent in the post-action step will no longer fail the workflow run. That way, you can kill the agent yourself when necessary (#33). + +## v0.3.0 [2020-05-18] + +### Added + +* A new post-action step will automatically clean up the running agent at the end of a job. This helps with self-hosted runners, which are non-ephemeral. (@thommyhh, #27) + +### Changed + +* Unless the SSH_AUTH_SOCK is configured explicitly, the SSH agent will now use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on self-hosted runners. (@thommyhh, #27) + +## v0.2.0 [2020-01-14] ### Added @@ -16,3 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * Catch empty ssh-private-key input values and exit with a helpful error message right away. + +## v0.1.0 [2019-09-15] + +Initial release. diff --git a/README.md b/README.md index cac624b..282c9cf 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ jobs: ... steps: - actions/checkout@v1 - # Make sure the @v0.3.0 matches the current version of the + # Make sure the @v0.4.0 matches the current version of the # action - - uses: webfactory/ssh-agent@v0.3.0 + - uses: webfactory/ssh-agent@v0.4.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - ... other steps @@ -44,7 +44,7 @@ In that case, you can set-up the different keys as multiple secrets and pass the ```yaml # ... contens as before - - uses: webfactory/ssh-agent@v0.3.0 + - uses: webfactory/ssh-agent@v0.4.0 with: ssh-private-key: | ${{ secrets.FIRST_KEY }} @@ -55,10 +55,10 @@ In that case, you can set-up the different keys as multiple secrets and pass the The `ssh-agent` will load all of the keys and try each one in order when establishing SSH connections. There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have -six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. +six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. If you don't need all of the keys at the same time, you could try to `run: kill $SSH_AGENT_PID` to kill the currently running `ssh-agent` and use the action again in a following step to start another instance. ## Exported variables -The action exports `SSH_AUTH_SOCK` and `SSH_AGENT_PID` through the Github Actions core module. +The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module. The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent. The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action. @@ -118,7 +118,7 @@ To actually grant the SSH key access, you can – on GitHub – use at least two As a note to my future self, in order to work on this repo: * Clone it -* Run `npm install` to fetch dependencies +* Run `yarn install` to fetch dependencies * _hack hack hack_ * `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased. Use `env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js` for this action. * Run `npm run build` to update `dist/*`, which holds the files actually run diff --git a/cleanup.js b/cleanup.js index 89955a6..f90cddd 100644 --- a/cleanup.js +++ b/cleanup.js @@ -6,5 +6,6 @@ try { console.log('Stopping SSH agent') execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' }) } catch (error) { - core.setFailed(error.message) + console.log(error.message); + console.log('Error stopping the SSH agent, proceeding anyway'); } diff --git a/dist/cleanup.js b/dist/cleanup.js index a678e24..e33f897 100644 --- a/dist/cleanup.js +++ b/dist/cleanup.js @@ -68,7 +68,8 @@ try { console.log('Stopping SSH agent') execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' }) } catch (error) { - core.setFailed(error.message) + console.log(error.message); + console.log('Error stopping the SSH agent, proceeding anyway'); } @@ -79,17 +80,24 @@ try { "use strict"; +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); -const os = __webpack_require__(87); +const os = __importStar(__webpack_require__(87)); /** * Commands * * Command Format: - * ##[name key=value;key=value]message + * ::name key=value,key=value::message * * Examples: - * ##[warning]This is the user warning message - * ##[set-secret name=mypassword]definitelyNotAPassword! + * ::warning::This is the message + * ::set-env name=MY_VAR::some value */ function issueCommand(command, properties, message) { const cmd = new Command(command, properties, message); @@ -100,7 +108,7 @@ function issue(name, message = '') { issueCommand(name, {}, message); } exports.issue = issue; -const CMD_PREFIX = '##['; +const CMD_STRING = '::'; class Command { constructor(command, properties, message) { if (!command) { @@ -111,37 +119,56 @@ class Command { this.message = message; } toString() { - let cmdStr = CMD_PREFIX + this.command; + let cmdStr = CMD_STRING + this.command; if (this.properties && Object.keys(this.properties).length > 0) { cmdStr += ' '; + let first = true; for (const key in this.properties) { if (this.properties.hasOwnProperty(key)) { const val = this.properties[key]; if (val) { - // safely append the val - avoid blowing up when attempting to - // call .replace() if message is not a string for some reason - cmdStr += `${key}=${escape(`${val || ''}`)};`; + if (first) { + first = false; + } + else { + cmdStr += ','; + } + cmdStr += `${key}=${escapeProperty(val)}`; } } } } - cmdStr += ']'; - // safely append the message - avoid blowing up when attempting to - // call .replace() if message is not a string for some reason - const message = `${this.message || ''}`; - cmdStr += escapeData(message); + cmdStr += `${CMD_STRING}${escapeData(this.message)}`; return cmdStr; } } -function escapeData(s) { - return s.replace(/\r/g, '%0D').replace(/\n/g, '%0A'); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); } -function escape(s) { - return s +exports.toCommandValue = toCommandValue; +function escapeData(s) { + return toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A'); +} +function escapeProperty(s) { + return toCommandValue(s) + .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') - .replace(/]/g, '%5D') - .replace(/;/g, '%3B'); + .replace(/:/g, '%3A') + .replace(/,/g, '%2C'); } //# sourceMappingURL=command.js.map @@ -161,9 +188,17 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); -const path = __webpack_require__(622); +const os = __importStar(__webpack_require__(87)); +const path = __importStar(__webpack_require__(622)); /** * The code to exit an action */ @@ -182,28 +217,25 @@ var ExitCode; // Variables //----------------------------------------------------------------------- /** - * sets env variable for this action and future actions in the job + * Sets env variable for this action and future actions in the job * @param name the name of the variable to set - * @param val the value of the variable + * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - process.env[name] = val; - command_1.issueCommand('set-env', { name }, val); + const convertedVal = command_1.toCommandValue(val); + process.env[name] = convertedVal; + command_1.issueCommand('set-env', { name }, convertedVal); } exports.exportVariable = exportVariable; /** - * exports the variable and registers a secret which will get masked from logs - * @param name the name of the variable to set - * @param val value of the secret + * Registers a secret which will get masked from logs + * @param secret value of the secret */ -function exportSecret(name, val) { - exportVariable(name, val); - // the runner will error with not implemented - // leaving the function but raising the error earlier - command_1.issueCommand('set-secret', {}, val); - throw new Error('Not implemented.'); +function setSecret(secret) { + command_1.issueCommand('add-mask', {}, secret); } -exports.exportSecret = exportSecret; +exports.setSecret = setSecret; /** * Prepends inputPath to the PATH (for this action and future actions) * @param inputPath @@ -221,7 +253,7 @@ exports.addPath = addPath; * @returns string */ function getInput(name, options) { - const val = process.env[`INPUT_${name.replace(' ', '_').toUpperCase()}`] || ''; + const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; if (options && options.required && !val) { throw new Error(`Input required and not supplied: ${name}`); } @@ -232,12 +264,22 @@ exports.getInput = getInput; * Sets the value of an output. * * @param name name of the output to set - * @param value value to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any function setOutput(name, value) { command_1.issueCommand('set-output', { name }, value); } exports.setOutput = setOutput; +/** + * Enables or disables the echoing of commands into stdout for the rest of the step. + * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. + * + */ +function setCommandEcho(enabled) { + command_1.issue('echo', enabled ? 'on' : 'off'); +} +exports.setCommandEcho = setCommandEcho; //----------------------------------------------------------------------- // Results //----------------------------------------------------------------------- @@ -254,6 +296,13 @@ exports.setFailed = setFailed; //----------------------------------------------------------------------- // Logging Commands //----------------------------------------------------------------------- +/** + * Gets whether Actions Step Debug is on or not + */ +function isDebug() { + return process.env['RUNNER_DEBUG'] === '1'; +} +exports.isDebug = isDebug; /** * Writes debug message to user log * @param message debug message @@ -264,20 +313,28 @@ function debug(message) { exports.debug = debug; /** * Adds an error issue - * @param message error issue message + * @param message error issue message. Errors will be converted to string via toString() */ function error(message) { - command_1.issue('error', message); + command_1.issue('error', message instanceof Error ? message.toString() : message); } exports.error = error; /** * Adds an warning issue - * @param message warning issue message + * @param message warning issue message. Errors will be converted to string via toString() */ function warning(message) { - command_1.issue('warning', message); + command_1.issue('warning', message instanceof Error ? message.toString() : message); } exports.warning = warning; +/** + * Writes info to log with console.log. + * @param message info message + */ +function info(message) { + process.stdout.write(message + os.EOL); +} +exports.info = info; /** * Begin an output group. * @@ -318,6 +375,30 @@ function group(name, fn) { }); } exports.group = group; +//----------------------------------------------------------------------- +// Wrapper action state +//----------------------------------------------------------------------- +/** + * Saves state for current action, the state can only be retrieved by this action's post job execution. + * + * @param name name of the state to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function saveState(name, value) { + command_1.issueCommand('save-state', { name }, value); +} +exports.saveState = saveState; +/** + * Gets the value of an state set by this action's main execution. + * + * @param name name of the state to get + * @returns string + */ +function getState(name) { + return process.env[`STATE_${name}`] || ''; +} +exports.getState = getState; //# sourceMappingURL=core.js.map /***/ }), diff --git a/dist/index.js b/dist/index.js index f7a65cd..e12897d 100644 --- a/dist/index.js +++ b/dist/index.js @@ -120,17 +120,24 @@ module.exports = require("child_process"); "use strict"; +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); -const os = __webpack_require__(87); +const os = __importStar(__webpack_require__(87)); /** * Commands * * Command Format: - * ##[name key=value;key=value]message + * ::name key=value,key=value::message * * Examples: - * ##[warning]This is the user warning message - * ##[set-secret name=mypassword]definitelyNotAPassword! + * ::warning::This is the message + * ::set-env name=MY_VAR::some value */ function issueCommand(command, properties, message) { const cmd = new Command(command, properties, message); @@ -141,7 +148,7 @@ function issue(name, message = '') { issueCommand(name, {}, message); } exports.issue = issue; -const CMD_PREFIX = '##['; +const CMD_STRING = '::'; class Command { constructor(command, properties, message) { if (!command) { @@ -152,37 +159,56 @@ class Command { this.message = message; } toString() { - let cmdStr = CMD_PREFIX + this.command; + let cmdStr = CMD_STRING + this.command; if (this.properties && Object.keys(this.properties).length > 0) { cmdStr += ' '; + let first = true; for (const key in this.properties) { if (this.properties.hasOwnProperty(key)) { const val = this.properties[key]; if (val) { - // safely append the val - avoid blowing up when attempting to - // call .replace() if message is not a string for some reason - cmdStr += `${key}=${escape(`${val || ''}`)};`; + if (first) { + first = false; + } + else { + cmdStr += ','; + } + cmdStr += `${key}=${escapeProperty(val)}`; } } } } - cmdStr += ']'; - // safely append the message - avoid blowing up when attempting to - // call .replace() if message is not a string for some reason - const message = `${this.message || ''}`; - cmdStr += escapeData(message); + cmdStr += `${CMD_STRING}${escapeData(this.message)}`; return cmdStr; } } -function escapeData(s) { - return s.replace(/\r/g, '%0D').replace(/\n/g, '%0A'); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); } -function escape(s) { - return s +exports.toCommandValue = toCommandValue; +function escapeData(s) { + return toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A'); +} +function escapeProperty(s) { + return toCommandValue(s) + .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') - .replace(/]/g, '%5D') - .replace(/;/g, '%3B'); + .replace(/:/g, '%3A') + .replace(/,/g, '%2C'); } //# sourceMappingURL=command.js.map @@ -202,9 +228,17 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); -const path = __webpack_require__(622); +const os = __importStar(__webpack_require__(87)); +const path = __importStar(__webpack_require__(622)); /** * The code to exit an action */ @@ -223,28 +257,25 @@ var ExitCode; // Variables //----------------------------------------------------------------------- /** - * sets env variable for this action and future actions in the job + * Sets env variable for this action and future actions in the job * @param name the name of the variable to set - * @param val the value of the variable + * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - process.env[name] = val; - command_1.issueCommand('set-env', { name }, val); + const convertedVal = command_1.toCommandValue(val); + process.env[name] = convertedVal; + command_1.issueCommand('set-env', { name }, convertedVal); } exports.exportVariable = exportVariable; /** - * exports the variable and registers a secret which will get masked from logs - * @param name the name of the variable to set - * @param val value of the secret + * Registers a secret which will get masked from logs + * @param secret value of the secret */ -function exportSecret(name, val) { - exportVariable(name, val); - // the runner will error with not implemented - // leaving the function but raising the error earlier - command_1.issueCommand('set-secret', {}, val); - throw new Error('Not implemented.'); +function setSecret(secret) { + command_1.issueCommand('add-mask', {}, secret); } -exports.exportSecret = exportSecret; +exports.setSecret = setSecret; /** * Prepends inputPath to the PATH (for this action and future actions) * @param inputPath @@ -262,7 +293,7 @@ exports.addPath = addPath; * @returns string */ function getInput(name, options) { - const val = process.env[`INPUT_${name.replace(' ', '_').toUpperCase()}`] || ''; + const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; if (options && options.required && !val) { throw new Error(`Input required and not supplied: ${name}`); } @@ -273,12 +304,22 @@ exports.getInput = getInput; * Sets the value of an output. * * @param name name of the output to set - * @param value value to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any function setOutput(name, value) { command_1.issueCommand('set-output', { name }, value); } exports.setOutput = setOutput; +/** + * Enables or disables the echoing of commands into stdout for the rest of the step. + * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. + * + */ +function setCommandEcho(enabled) { + command_1.issue('echo', enabled ? 'on' : 'off'); +} +exports.setCommandEcho = setCommandEcho; //----------------------------------------------------------------------- // Results //----------------------------------------------------------------------- @@ -295,6 +336,13 @@ exports.setFailed = setFailed; //----------------------------------------------------------------------- // Logging Commands //----------------------------------------------------------------------- +/** + * Gets whether Actions Step Debug is on or not + */ +function isDebug() { + return process.env['RUNNER_DEBUG'] === '1'; +} +exports.isDebug = isDebug; /** * Writes debug message to user log * @param message debug message @@ -305,20 +353,28 @@ function debug(message) { exports.debug = debug; /** * Adds an error issue - * @param message error issue message + * @param message error issue message. Errors will be converted to string via toString() */ function error(message) { - command_1.issue('error', message); + command_1.issue('error', message instanceof Error ? message.toString() : message); } exports.error = error; /** * Adds an warning issue - * @param message warning issue message + * @param message warning issue message. Errors will be converted to string via toString() */ function warning(message) { - command_1.issue('warning', message); + command_1.issue('warning', message instanceof Error ? message.toString() : message); } exports.warning = warning; +/** + * Writes info to log with console.log. + * @param message info message + */ +function info(message) { + process.stdout.write(message + os.EOL); +} +exports.info = info; /** * Begin an output group. * @@ -359,6 +415,30 @@ function group(name, fn) { }); } exports.group = group; +//----------------------------------------------------------------------- +// Wrapper action state +//----------------------------------------------------------------------- +/** + * Saves state for current action, the state can only be retrieved by this action's post job execution. + * + * @param name name of the state to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function saveState(name, value) { + command_1.issueCommand('save-state', { name }, value); +} +exports.saveState = saveState; +/** + * Gets the value of an state set by this action's main execution. + * + * @param name name of the state to get + * @returns string + */ +function getState(name) { + return process.env[`STATE_${name}`] || ''; +} +exports.getState = getState; //# sourceMappingURL=core.js.map /***/ }), diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index 12699b6..0000000 --- a/package-lock.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "name": "webfactory-action-ssh-agent", - "version": "0.1.0", - "lockfileVersion": 1, - "requires": true, - "dependencies": { - "@actions/core": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.4.tgz", - "integrity": "sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg==", - "dev": true - }, - "@zeit/ncc": { - "version": "0.20.5", - "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.20.5.tgz", - "integrity": "sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw==", - "dev": true - } - } -} diff --git a/yarn.lock b/yarn.lock new file mode 100644 index 0000000..267f5d3 --- /dev/null +++ b/yarn.lock @@ -0,0 +1,13 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +"@actions/core@^1.2.4": + version "1.2.4" + resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.4.tgz#96179dbf9f8d951dd74b40a0dbd5c22555d186ab" + integrity sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg== + +"@zeit/ncc@^0.20.5": + version "0.20.5" + resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.20.5.tgz#a41af6e6bcab4a58f4612bae6137f70bce0192e3" + integrity sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw== From 9e5c1c7a9b63cddacf3175ea971055789bdbd9ac Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Mon, 7 Sep 2020 16:57:21 +0200 Subject: [PATCH 7/9] Point to blog post explaining how to use multiple GitHub deploy keys --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 282c9cf..232050c 100644 --- a/README.md +++ b/README.md @@ -38,9 +38,9 @@ jobs: ### Using multiple keys -There are cases where you might need to use multiple keys. For example, "deployment keys" might be limited to a single repository each. +There are cases where you might need to use multiple keys. For example, "[deploy keys](https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys)" might be limited to a single repository, so you'll need several of them. -In that case, you can set-up the different keys as multiple secrets and pass them all to the action like so: +You can set up different keys as different secrets and pass them all to the action like so: ```yaml # ... contens as before @@ -55,7 +55,11 @@ In that case, you can set-up the different keys as multiple secrets and pass the The `ssh-agent` will load all of the keys and try each one in order when establishing SSH connections. There's one **caveat**, though: SSH servers may abort the connection attempt after a number of mismatching keys have been presented. So if, for example, you have -six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. If you don't need all of the keys at the same time, you could try to `run: kill $SSH_AGENT_PID` to kill the currently running `ssh-agent` and use the action again in a following step to start another instance. +six different keys loaded into the `ssh-agent`, but the server aborts after five unknown keys, the last key (which might be the right one) will never even be tried. + +Also, when using **Github deploy keys**, GitHub servers will accept the first known key. But since deploy keys are scoped to a single repository, you might get the error message `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.` if the wrong key/repository combination is tried. + +In both cases, you might want to [try a wrapper script around `ssh`](https://gist.github.com/mpdude/e56fcae5bc541b95187fa764aafb5e6d) that can pick the right key, based on key comments. See [our blog post](https://www.webfactory.de/blog/using-multiple-ssh-deploy-keys-with-github) for the full story. ## Exported variables The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module. From 3dd57c80a6b4328a5de9b32057f2f2d4f2723243 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Wed, 7 Oct 2020 23:06:49 +0200 Subject: [PATCH 8/9] Update dependencies (#43) --- dist/cleanup.js | 110 +++++++++++++++++++++++++++++++++++++++--------- dist/index.js | 103 ++++++++++++++++++++++++++++++++++++--------- yarn.lock | 6 +-- 3 files changed, 178 insertions(+), 41 deletions(-) diff --git a/dist/cleanup.js b/dist/cleanup.js index e33f897..c8081be 100644 --- a/dist/cleanup.js +++ b/dist/cleanup.js @@ -43,6 +43,32 @@ module.exports = /************************************************************************/ /******/ ({ +/***/ 82: +/***/ (function(__unusedmodule, exports) { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", { value: true }); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +//# sourceMappingURL=utils.js.map + +/***/ }), + /***/ 87: /***/ (function(module) { @@ -50,6 +76,42 @@ module.exports = require("os"); /***/ }), +/***/ 102: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +// For internal use, subject to change. +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__webpack_require__(747)); +const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); +function issueCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueCommand = issueCommand; +//# sourceMappingURL=file-command.js.map + +/***/ }), + /***/ 129: /***/ (function(module) { @@ -89,6 +151,7 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); /** * Commands * @@ -142,28 +205,14 @@ class Command { return cmdStr; } } -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; function escapeData(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A'); } function escapeProperty(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') @@ -197,6 +246,8 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); +const file_command_1 = __webpack_require__(102); +const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); /** @@ -223,9 +274,17 @@ var ExitCode; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - const convertedVal = command_1.toCommandValue(val); + const convertedVal = utils_1.toCommandValue(val); process.env[name] = convertedVal; - command_1.issueCommand('set-env', { name }, convertedVal); + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + const delimiter = '_GitHubActionsFileCommandDelimeter_'; + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); + } } exports.exportVariable = exportVariable; /** @@ -241,7 +300,13 @@ exports.setSecret = setSecret; * @param inputPath */ function addPath(inputPath) { - command_1.issueCommand('add-path', {}, inputPath); + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; } exports.addPath = addPath; @@ -408,6 +473,13 @@ exports.getState = getState; module.exports = require("path"); +/***/ }), + +/***/ 747: +/***/ (function(module) { + +module.exports = require("fs"); + /***/ }) /******/ }); \ No newline at end of file diff --git a/dist/index.js b/dist/index.js index e12897d..173d8ea 100644 --- a/dist/index.js +++ b/dist/index.js @@ -43,6 +43,32 @@ module.exports = /************************************************************************/ /******/ ({ +/***/ 82: +/***/ (function(__unusedmodule, exports) { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", { value: true }); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +//# sourceMappingURL=utils.js.map + +/***/ }), + /***/ 87: /***/ (function(module) { @@ -50,6 +76,42 @@ module.exports = require("os"); /***/ }), +/***/ 102: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +// For internal use, subject to change. +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__webpack_require__(747)); +const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); +function issueCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueCommand = issueCommand; +//# sourceMappingURL=file-command.js.map + +/***/ }), + /***/ 104: /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) { @@ -129,6 +191,7 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); /** * Commands * @@ -182,28 +245,14 @@ class Command { return cmdStr; } } -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; function escapeData(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A'); } function escapeProperty(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') @@ -237,6 +286,8 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); +const file_command_1 = __webpack_require__(102); +const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); /** @@ -263,9 +314,17 @@ var ExitCode; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - const convertedVal = command_1.toCommandValue(val); + const convertedVal = utils_1.toCommandValue(val); process.env[name] = convertedVal; - command_1.issueCommand('set-env', { name }, convertedVal); + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + const delimiter = '_GitHubActionsFileCommandDelimeter_'; + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); + } } exports.exportVariable = exportVariable; /** @@ -281,7 +340,13 @@ exports.setSecret = setSecret; * @param inputPath */ function addPath(inputPath) { - command_1.issueCommand('add-path', {}, inputPath); + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; } exports.addPath = addPath; diff --git a/yarn.lock b/yarn.lock index 267f5d3..83381c3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3,9 +3,9 @@ "@actions/core@^1.2.4": - version "1.2.4" - resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.4.tgz#96179dbf9f8d951dd74b40a0dbd5c22555d186ab" - integrity sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg== + version "1.2.6" + resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09" + integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA== "@zeit/ncc@^0.20.5": version "0.20.5" From ee29fafb6aa450493bac9136b346e51ea60a8b5e Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Wed, 7 Oct 2020 21:08:38 +0000 Subject: [PATCH 9/9] Update README for a 0.4.1 release --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 232050c..18e26de 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ jobs: ... steps: - actions/checkout@v1 - # Make sure the @v0.4.0 matches the current version of the + # Make sure the @v0.4.1 matches the current version of the # action - - uses: webfactory/ssh-agent@v0.4.0 + - uses: webfactory/ssh-agent@v0.4.1 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - ... other steps @@ -44,7 +44,7 @@ You can set up different keys as different secrets and pass them all to the acti ```yaml # ... contens as before - - uses: webfactory/ssh-agent@v0.4.0 + - uses: webfactory/ssh-agent@v0.4.1 with: ssh-private-key: | ${{ secrets.FIRST_KEY }}