actions/ssh-agent
1
0
Fork 0
mirror of https://github.com/webfactory/ssh-agent.git synced 2025-04-21 22:08:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:master
Branches Tags
actions:master
actions:mkdir-p
actions:camilo/log-public-key
actions:demo-go-get
actions:debug-windows-ssh
actions:deploy-key-wrapper
actions:v0.9.1
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.0
actions:v0.5.4
actions:v0.5.3
actions:v0.5.2
actions:v0.5.1
actions:v0.5.0
actions:v0.4.1
actions:v0.4.0
actions:v0.3.0
actions:v0.2.0
actions:v0.1.1
actions:v0.1.0
..
compare: actions:v0.7.0
Branches Tags
actions:master
actions:mkdir-p
actions:camilo/log-public-key
actions:demo-go-get
actions:debug-windows-ssh
actions:deploy-key-wrapper
actions:v0.9.1
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.0
actions:v0.5.4
actions:v0.5.3
actions:v0.5.2
actions:v0.5.1
actions:v0.5.0
actions:v0.4.1
actions:v0.4.0
actions:v0.3.0
actions:v0.2.0
actions:v0.1.1
actions:v0.1.0

No commits in common. "master" and "v0.7.0" have entirely different histories.
master ... v0.7.0

9 changed files with 67 additions and 134 deletions
Show stats Expand all files Collapse all files

4
.github/workflows/demo.yml vendored
View file

@ -8,7 +8,7 @@ jobs:
os: [ ubuntu-latest, macOS-latest, windows-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v2
- name: Setup key
uses: ./
with:
@ -28,7 +28,7 @@ jobs:
container:
image: ubuntu:latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v2
- run: apt update && apt install -y openssh-client git
- name: Setup key
uses: ./

21
CHANGELOG.md
View file

@ -7,27 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## v0.9.1 [2024-03-17]
### Fixed
* Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235)
## v0.9.0 [2024-02-06]
### Changed
* Update all versions of `actions/checkout` to v4 (#199)
* Update to Node 20 (#201)
## v0.8.0 [2023-03-24]
### Changed
* No longer writing GitHub's SSH host keys to `known_hosts` (#171)
* Update to actions/checkout@v3 (#143)
* Allow the user to override the commands for git, ssh-agent, and ssh-add (#154)
## v0.7.0 [2022-10-19]
### Added

67
README.md
View file

@ -1,9 +1,10 @@
# `ssh-agent` GitHub Action
This action
* starts the `ssh-agent`,
* exports the `SSH_AUTH_SOCK` environment variable, and
* loads one or several private SSH key into the agent.
This action
* starts the `ssh-agent`,
* exports the `SSH_AUTH_SOCK` environment variable,
* loads one or several private SSH key into the agent and
* configures `known_hosts` for GitHub.com.
It should work in all GitHub Actions virtual environments, including container-based workflows.
@ -26,7 +27,7 @@ GitHub Actions only have access to the repository they run for. So, in order to
* In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`.
* Put the contents of the *private* SSH key file into the contents field. <br>
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v4` line.
5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
```yaml
# .github/workflows/my-workflow.yml
@ -34,12 +35,13 @@ jobs:
my_job:
...
steps:
- uses: actions/checkout@v4
# Make sure the @v0.9.0 matches the current version of the action
- uses: webfactory/ssh-agent@v0.9.0
- actions/checkout@v2
# Make sure the @v0.6.0 matches the current version of the
# action
- uses: webfactory/ssh-agent@v0.6.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
# ... other steps
- ... other steps
```
5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
@ -50,8 +52,8 @@ There are cases where you might need to use multiple keys. For example, "[deploy
You can set up different keys as different secrets and pass them all to the action like so:
```yaml
# ... contents as before
- uses: webfactory/ssh-agent@v0.9.0
# ... contens as before
- uses: webfactory/ssh-agent@v0.6.0
with:
ssh-private-key: |
${{ secrets.FIRST_KEY }}
@ -81,9 +83,6 @@ The following inputs can be used to control the action's behavior:
* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
* `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary.
* `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary.
* `git-cmd`: Optional. Use this to specify a custom location for the `git` binary.
## Exported variables
@ -111,11 +110,9 @@ If you know that your favorite tool or platform of choice requires extra tweaks
If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
### Building Docker Images and/or Using the `docker/build-push-action` Action
### Using the `docker/build-push-action` Action
When you are building Docker images with `docker build` or `docker compose build` and need to provide the SSH keys to the build, don't forget to pass `--ssh default=${{ env.SSH_AUTH_SOCK }}` on the command line to pass the SSH agent socket through. See the [Docker documentation](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) for more information on this option.
If you are using the `docker/build-push-action`, you can do so by adding the following config.
If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
```yml
- name: Build and push
@ -126,45 +123,35 @@ If you are using the `docker/build-push-action`, you can do so by adding the fol
default=${{ env.SSH_AUTH_SOCK }}
```
Make sure not to miss the next section, though.
### Using the `docker/build-push-action` Action together with multiple Deploy Keys
### Using Multiple Deploy Keys Inside Docker Builds
If you use the `docker/build-push-action` and want to use multiple GitHub deploy keys, you need to copy the git and ssh configuration to the container during the build. Otherwise, the Docker build process would still not know how to handle multiple deploy keys. Even if the ssh agent was set up correctly on the runner.
When you pass the SSH agent socket to the Docker build environment _and_ want to use multiple GitHub deploy keys, you need to copy the Git and SSH configuration files to the build environment as well. This is necessary _in addition to_ forwarding the SSH agent socket into the build process. The config files are required so that Git can pick the right one from your deployment keys.
This requires an additional step in the workflow file **after** the `ssh-agent` step and **before** the Docker build step. You also need two additional lines in the `Dockerfile` to actually copy the configs.
The following example will:
* collect the necessary Git and SSH configuration files in a directory that must be part of the Docker build context so that...
* ... the files can be copied into the Docker image (or an intermediate build stage).
This requires an additional step in the actions workflow and two additional lines in the Dockerfile.
Workflow:
```yml
- name: ssh-agent setup
...
- name: Collect Git and SSH config files in a directory that is part of the Docker build context
- name: Prepare git and ssh config for build context
run: |
mkdir root-config
cp -r ~/.gitconfig ~/.ssh root-config/
- name: Docker build
# build-push-action | docker [compose] build | etc.
...
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
```
Dockerfile:
```Dockerfile
# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
```
Keep in mind that the resulting Docker image now might contain these customized Git and SSH configuration files! Your private SSH keys are never written to files anywhere, just loaded into the SSH agent and forwarded into the container. The config files might, however, give away details about your build or development process and contain the names and URLs of your (private) repositories. You might want to use a multi-staged build to make sure these files do not end up in the final image.
Have in mind that the Dockerfile now contains customized git and ssh configurations. If you don't want that in your final image, use multi-stage builds.
If you still get the error message: `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.`, you most likely forgot one of the steps above.
### Cargo's (Rust) Private Dependencies on Windows
@ -271,4 +258,4 @@ developer looking for new challenges, we'd like to hear from you!
- <https://www.webfactory.de>
- <https://twitter.com/webfactory>
Copyright 2019 2023 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
Copyright 2019 2022 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

12
action.yml
View file

@ -10,21 +10,11 @@ inputs:
description: 'Whether or not to log public key fingerprints'
required: false
default: true
ssh-agent-cmd:
description: 'ssh-agent command'
required: false
ssh-add-cmd:
description: 'ssh-add command'
required: false
git-cmd:
description: 'git command'
required: false
runs:
using: 'node20'
using: 'node16'
main: 'dist/index.js'
post: 'dist/cleanup.js'
post-if: 'always()'
branding:
icon: loader
color: 'yellow'

1
cleanup.js
View file

@ -1,3 +1,4 @@
const core = require('@actions/core');
const { execFileSync } = require('child_process');
const { sshAgentCmd } = require('./paths.js');

27
dist/cleanup.js vendored
View file

@ -597,6 +597,7 @@ exports.debug = debug; // for test
/***/ 175:
/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
const core = __webpack_require__(470);
const { execFileSync } = __webpack_require__(129);
const { sshAgentCmd } = __webpack_require__(972);
@ -2821,32 +2822,20 @@ exports.default = _default;
/***/ (function(module, __unusedexports, __webpack_require__) {
const os = __webpack_require__(87);
const core = __webpack_require__(470);
const defaults = (process.env['OS'] != 'Windows_NT') ? {
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
homePath: os.userInfo().homedir,
sshAgentCmdDefault: 'ssh-agent',
sshAddCmdDefault: 'ssh-add',
gitCmdDefault: 'git'
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmdDefault: 'c://progra~1//git//bin//git.exe'
};
const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
const sshAddCmdInput = core.getInput('ssh-add-cmd');
const gitCmdInput = core.getInput('git-cmd');
module.exports = {
homePath: defaults.homePath,
sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault,
gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault,
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};

32
dist/index.js vendored
View file

@ -335,7 +335,13 @@ try {
}
const homeSsh = homePath + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
console.log("Starting ssh-agent");
@ -2895,32 +2901,20 @@ exports.default = _default;
/***/ (function(module, __unusedexports, __webpack_require__) {
const os = __webpack_require__(87);
const core = __webpack_require__(470);
const defaults = (process.env['OS'] != 'Windows_NT') ? {
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
homePath: os.userInfo().homedir,
sshAgentCmdDefault: 'ssh-agent',
sshAddCmdDefault: 'ssh-add',
gitCmdDefault: 'git'
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmdDefault: 'c://progra~1//git//bin//git.exe'
};
const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
const sshAddCmdInput = core.getInput('ssh-add-cmd');
const gitCmdInput = core.getInput('git-cmd');
module.exports = {
homePath: defaults.homePath,
sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault,
gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault,
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};

6
index.js
View file

@ -15,7 +15,13 @@ try {
}
const homeSsh = homePath + '/.ssh';
console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
fs.mkdirSync(homeSsh, { recursive: true });
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
console.log("Starting ssh-agent");

31
paths.js
View file

@ -1,29 +1,16 @@
const os = require('os');
const core = require('@actions/core');
const defaults = (process.env['OS'] != 'Windows_NT') ? {
// We use os.userInfo() rather than os.homedir(), since it uses the getpwuid() system call to get the user's home directory (see https://nodejs.org/api/os.html#osuserinfooptions).
// This mimics the way openssh derives the home directory for locating config files (see https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/ssh.c#L710);
// Makes a difference in Docker-based Action runs, when $HOME is different from what getpwuid() returns (which is based on the entry in /etc/passwd)
module.exports = (process.env['OS'] != 'Windows_NT') ? {
// Use getent() system call, since this is what ssh does; makes a difference in Docker-based
// Action runs, where $HOME is different from the pwent
homePath: os.userInfo().homedir,
sshAgentCmdDefault: 'ssh-agent',
sshAddCmdDefault: 'ssh-add',
gitCmdDefault: 'git'
sshAgentCmd: 'ssh-agent',
sshAddCmd: 'ssh-add',
gitCmd: 'git'
} : {
// Assuming GitHub hosted `windows-*` runners for now
homePath: os.homedir(),
sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmdDefault: 'c://progra~1//git//bin//git.exe'
};
const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
const sshAddCmdInput = core.getInput('ssh-add-cmd');
const gitCmdInput = core.getInput('git-cmd');
module.exports = {
homePath: defaults.homePath,
sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault,
gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault,
sshAgentCmd: 'c://progra~1//git//usr//bin//ssh-agent.exe',
sshAddCmd: 'c://progra~1//git//usr//bin//ssh-add.exe',
gitCmd: 'c://progra~1//git//bin//git.exe'
};