webfactory / ssh-agent Goto Github PK
View Code? Open in Web Editor NEWGitHub Action to setup `ssh-agent` with a private key
License: MIT License
GitHub Action to setup `ssh-agent` with a private key
License: MIT License
I am running a workflow on ubuntu-20.04 with container centos:7.
job-name:
runs-on: ubuntu-20.04
container:
image: centos:7
steps:
- uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_KEY }}
${{ secrets.SSH_KEY_2 }}
I get this error while starting the ssh-agent.
Adding GitHub.com keys to /root/.ssh/known_hosts
Starting ssh-agent
Error: spawnSync ssh-agent ENOENT
Can someone help me fix this?
I have set up a Xcode project with a private repository as dependency using Swift Package Manager. Therefore I have to add the ssh key for the dependency. Cloning the repository in a Github Action step is working well, but when I try to build the app in a step with xcodebuild I get the following error:
xcodebuild: error: Could not resolve package dependencies: The server SSH fingerprint failed to verify.
On a self-hosted Agent Instance there pop up some error after building once. The second build shows this:
Run webfactory/[email protected]
bind: Address already in use
Adding GitHub.com keys to /root/.ssh/known_hosts
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
Starting ssh-agent
##[error]Command failed: ssh-agent -a /tmp/ssh-auth.sock
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
I dont know how i can solve it, do you have an idea?
Best Regards
I want to access two different private repositories that contain packages for an App. I have created one ssh key for each of the two repos, added the private key to the secrets of the App-Repository and the public keys as deploy keys in the private package repositories.
My workflow looks as follow:
- uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_APISERVICE }}
${{ secrets.SSH_PRIVATE_KEY_WIDGETS }}
- run: git clone [email protected]:[organization-name]/[repository-name1]
- run: git clone [email protected]:[organization-name]/[repository-name2]
The public keys look like the following:
ssh-rsa AA[...]Gj
[email protected]:[organization-name]/[repository-name1]
Running the workflow produces the following log:
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-To1irqpM9o5v/agent.1571
SSH_AGENT_PID=1572
Adding private key(s) to agent
Identity added: (stdin) ((stdin))
Identity added: (stdin) ((stdin))
Key(s) added:
2048 SHA256:lF6[...]JsM (stdin) (RSA)
2048 SHA256:Wqc[...]FMbA8 (stdin) (RSA)
Configuring deployment key(s)
Comment for key 'ssh-rsa AA[...]Gj (stdin)' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
Comment for key 'ssh-rsa AA[...]Gb (stdin)' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
Afterwards, the first git clone
command works as excpected, the second one fails with the error:
ERROR: Repository not found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Error: Process completed with exit code 128.
It's always the second clone command that fails, even if I swap the order in which the repositories are cloned.
I'm stuck and don't know if I am doing something wrong, or if this is some Bug with this Action. Any help is very appreciated!
Hey again, seems like I keep on bumping to your actions ๐๐ป
I've tried adding this, and I get a successful message
Starting ssh-agent
Adding private key to agent
Identity added: (stdin)
However, when trying to do a clone or submodule init, I get this:
Host key verification failed.
fatal: Could not read from remote repository.
I've tried cloning the repo using the key, and it works on my machine. I've seen a note in keyscan but I'm not really sure if it's the correct command
I used this to no avail
ssh-keyscan -t rsa bitbucket.org | ssh-keygen -lf -
I've spent today trying to get this GitHub action working but no matter what I try it doesn't do anything.
It appears to me as if the steps are no longer connected. For completeness, here's my workflow file.
[...]
steps:
- uses: actions/checkout@v1
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: 'SSH: trust host'
run: for ip in $(dig @1.1.1.1 ${DEPLOY_HOST} +short); do ssh-keyscan ${DEPLOY_HOST},$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
env:
DEPLOY_HOST: "my-private-host.com"
- name: "synoa/github-action-git-exec"
uses: synoa/github-action-git-exec@master
with:
git_cmd: "git push user@${DEPLOY_HOST}:/path/to/my/repo.git HEAD:master"
env:
GIT_SSH_COMMAND: "ssh -vvv -o StrictHostKeyChecking=no"
SSH_AUTH_SOCK: "/tmp/ssh-auth.sock"
DEPLOY_HOST: "my-private-host.com"
synoa/github-action-git-exec
just executes a shell command (see https://github.com/synoa/github-action-git-exec/blob/master/entrypoint.sh#L4).
I've attached an execution log from one of the failed executions:
github-action.log
I've had a lot of "Host verification failed" issues, which according to #6 (comment) can be fixed by adding a script that adds the Host to the known hosts file - this didn't work as well so I highly speculate that GitHub Actions no longer shares its "state" between steps.
When I change my Action to run the following script I can login and push to my remote server without any issues:
[...]
- name: "synoa/github-action-git-exec"
uses: synoa/github-action-git-exec@master
with:
git_cmd: "mkdir /root/.ssh && echo \"${{ secrets.SSH_PRIVATE_KEY }}\" > /root/.ssh/id_rsa && chmod 400 /root/.ssh/id_rsa && git push synoa@${DEPLOY_HOST}:/path/to/my/repo.git HEAD:master"
env:
GIT_SSH_COMMAND: "ssh -vvv -o StrictHostKeyChecking=no"
DEPLOY_HOST: "my-private-host.com"
This command works fine, but adding the same key using this action does not work.
If I can help in any way, please let me know!
This action does not work. I noticed you've hardcoded some public keys and not rely on the SSH-PRIVATE-KEY
env var
The motivation for this issue is well related to #36.
In my case, having this action to support passphrases would allow me to use this action prior to running a binary (Terraform) that will clone additional Github Repositories. Those repositories are private and are in a organization that requires SSH keys to have passphrases as a SAML policy.
If supporting it is really out of scope, could you please shed me some light on workarounds for this scenario?
Thanks in advance and great job!
Run webfactory/[email protected]
Adding GitHub.com keys to /Users/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ([email protected])
Keys added:
256 SHA256:< SHA >
[email protected] (ED25519)
Could you add an option ( options ) to hide [email protected] in logs?
Also I would like to hide SHA256:< SHA >
.
When I build I get the following text in the actions log:
Adding private key(s) to agent
Key(s) added:
3072 SHA256:sgR7...Z7qM [email protected] (RSA)
Configuring deployment key(s)
Comment for key 'ssh-rsa AA...iNk= [email protected]' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
The key was added to ssh-agent and functionality is correct (I'm not using it as a deploy key), but the full text of the private key is leaked in the build logs. Please fix?
Do you have any idea what was wrong with that?
https://github.com/webfactory/ssh-agent/issues/9#issue-526665922
Not exactly a bug, but I found it challenging to find a solution that works with docker build when using multiple deploy keys. The reason seems to be that the build container doesn't have the ssh and git config necessary to map the right key to the right repo.
For example:
- name: Setup SSH
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.DEPLOY_KEY_A }}
${{ secrets.DEPLOY_KEY_B }}
- name: Works Well!
run: |
git clone github.com/me/private-repo-a
git clone github.com/me/private-repo-b
- name: Doesn't work :(
run: |
cat > Dockerfile <<EOF
FROM debian
RUN --mount=type=ssh git clone github.com/me/private-repo-a
RUN --mount=type=ssh git clone github.com/me/private-repo-b
EOF
docker build --ssh default .
The docker build has access to the keys, but it doesn't use the right one for each repo, so one of the checkouts will fail.
My solution was to copy the config into the container:
run: |
mkdir root-config
cp -r ~/.gitconfig ~/.ssh root-config/
docker build ... .
And in my Dockerfile:
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
That works, but it feels pretty hacky. I was just wondering if anyone can come up with a better way/wanted to document a way to make it work.
It's unclear how to issue a command on the host once an ssh connection is established. Please provide an example. In the example below, I'd like to run the php command on the host, rather than the action environment.
- name: SSH Into Env
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Remotely Create Symbolic Link for Storage
run: php artisan storage:link
The below regex does not allow capital letters:
Line 53 in 4b6f4eb
This, combined with no console output, can leave the script only performing part of its functionality which may leave some users confused.
I see a few potential remedies here but I'm less familiar with the tool, so wanted to get some input.
It seems we could:
ToLower()
on the key prior to processing it in the regexI'll submit PRs for all three options in case you have a preference for one or the other. Also, please let me know if I'm misunderstanding the problem here.
When I want to use your action on macOS environment it produces the following error.
Run webfactory/[email protected]
with:
ssh-private-key: ***
ssh-auth-sock: /tmp/ssh-auth.sock
Adding GitHub.com keys to /home/runner/ssh_known_hosts
##[error]ENOENT: no such file or directory, mkdir '/home/runner/.ssh'
##[error]Node run failed with exit code 1
By scanning through the README file and existing issues, I understand that this is probably not an issue with ssh-agent
. However, I still couldn't make it work after several attempts.
I want to take advantage of this action to copy test data from my local server.
By following the procedures, first I have
steps:
- uses: actions/checkout@v2
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.CI_PRIVATE_KEY }}
- name: Reference data
run: |
scp -o 'ProxyCommand ssh [email protected] -W %h:%p' username@server2:filename .
cat filename
The private keys should have been properly set, and public keys are added both to the proxy and actual servers.
The runlog first displays
Run webfactory/[email protected]
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) (username@legion5)
Keys added:
256 SHA256:JP1loMqqwOspXFAwP44oeAbuaUV/OlATxEPxrEwOcDs username@legion5 (ED25519)
and then
Run scp -o 'ProxyCommand ssh username@server1 -W %h:%p' username@server2:filename .
Host key verification failed.
ssh_exchange_identification: Connection closed by remote host
Error: Process completed with exit code 1.
After some search, the general suggestion I found for dealing with the Host key verification failed
msg was by using ssh-keygen
, but I had no luck in a successful attempt. Can you kindly offer me some help?
Thanks!
actions config
runs-on: ubuntu-latest
container:
image: elixir:1.9.1-slim
env:
MIX_ENV: test
steps:
- name: Checkout
uses: actions/checkout@v1
- name: create SSH key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Install Dependencies
run: |
git clone [email protected]:zhulinpinyu/sf.git
error log:
Run git clone [email protected]:zhulinpinyu/sf.git
git clone [email protected]:zhulinpinyu/sf.git
shell: sh -e {0}
env:
SSH_AUTH_SOCK: /tmp/ssh-auth.sock
Cloning into 'sf'...
ssh_askpass: exec(/usr/lib/ssh/ssh-askpass): No such file or directory
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
##[error]Process completed with exit code 128.
Solution: #25 (comment)
Thanks @stevie-
Using GitHub deploy keys as described in the README file does not work in Windows. Using "plain" keys (i. e. without the repo mapping provided in the comment) works, but you might be limited in how many of these keys can be tried before the remote server aborts the connection.
When deploy keys are used, this action writes the public key information (as shown by ssh-add -L
) into a file, and configures SSH via IdentityFile
to use this identity when connecting to the host. Also, IdentitiesOnly
is turned on to try only the particular key.
On Linux systems (at least, the Ubuntu-based virtual action environments) and OS X, this works: It identifies the key to use via the public key part, but fetches the key from the SSH Agent.
On Windows, it fails. Here's the output from the ssh -v
level:
debug1: Will attempt key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
debug1: Server accepts key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
Load key "C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9": invalid format
As you can see, SSH on Windows complains that the key is in an invalid format. This is because the file contains the public key part, but IdentityFile
should point to a private key file.
There is a bug report over at PowerShell/Win32-OpenSSH#1550 which describes that IdentitiesOnly
will make SSH ignore keys from the SSH Agent. However, since removing IdentitiesOnly
in this action here does not solve or work around the issue. So, the two things might be related, but it's not exactly the same problem.
One way of working around this would be to write the private key files to disk (at least under Windows), so that ssh
can pick the right identity from the file. Writing keys to disk or file, however, is something this action has tried to avoid in the first place: With keys on disk, any subsequent action or process might read/steal the key. With the current action design, the private keys are passed right from GitHub Secrets into the ssh-agent
process and cannot be recovered from there later on. So, I'm a bit reluctant to make this change.
I can raise an issue over at https://github.com/PowerShell/Win32-OpenSSH/, however I have no idea if this is the right place to report, how quickly the issue could be fixed and when an update would make it into virtual Windows environments.
Hey there!
Thanks for the great action.
Do you have any opinion on the best way to use this action with docker volumes?
I'm doing this but would like to know if there is a better way?
on: push
name: "Test"
jobs:
build:
name: "Test"
runs-on: ubuntu-latest
steps:
- name: "Install SSH Key"
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: "Test"
run: |
docker run --rm \
-v $SSH_AUTH_SOCK:/ssh-agent -v ~/.ssh/known_hosts:/root/.ssh/known_hosts -e SSH_AUTH_SOCK=/ssh-agent \
image \
bash -c "ssh-add -l && ssh -T [email protected]"
Thanks!
Hello,
I am still facing with fatal error after use webfactory/ssh-agent
fatal: repository 'https://github.com/mycompany/mycompany-package.git/' not found
This is my deploy flow
name: CI Dev
on:
push:
branches: [ develop ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Set SSH Key Agent
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- uses: actions/checkout@v2
- name: Install node modules
run: yarn
This is package.json
{
...
"mycompany-package": "git+https://github.com/mycompany/mycompany-package.git",
....
}
Please help!
Today I started getting the following error when using ssh-agent
to set an ssh-private-key
:
Error: Unable to process command '::set-env name=SSH_AUTH_SOCK::/tmp/ssh-pt8h3REXijrf/agent.2441' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
Error: Unable to process command '::set-env name=SSH_AGENT_PID::2442' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
Will this action now no longer be able to work?
I am trying to install 2 or more private GitHub repositories as an NPM dependency to another project.
In my package.json
file, I have dependencies from GitHub in the following format:
"***-plugin": "git+ssh://[email protected]:***/******.git#1bdfa1248fe92b4ba239aca37c686c72898ccab5",
The following is a part of my github action yml file:
- name: Setup SSH Keys and known_hosts
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY }}
${{ secrets.ANOTHER_SSH_PRIVATE_KEY }}
The SSH_PRIVATE_KEY
s are added as deploy keys to this repo.
In the next step, I try to run npm install
.
Now based on the order of the private keys, only one of these dependencies installs successfully.
I have tried to change the order of these ssh keys, which changes the dependency that cannot be installed.
Is it possible to use deploy keys to access both the private repositories in this case?
Let me know if you need more information.
It works fine with multiple repos as documented. However, if there are repos with LFS, it would fail.
One work around is to disable LFS by setting GIT_LFS_SKIP_SMUDGE
environment variable to 1.
But there are circumstances where LFS is really needed to obtain large files. Is there plan to support this?
First of all, thanks for this GH-Action :-)
I'm using this action twice in my workflow because using a ssh-agent with multiple keys doesn't seem to work with the Gradle-plugin I'm using to push some data to Git-Repositories over ssh.
[...]
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.WORKFLOW_SSH_KEY }}
continue-on-error: true
- name: Push data, if there are any changes
run: ./gradlew gitPublishPush --info
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.WORKFLOW_SSH_KEY_ARCHIV_REPO }}
continue-on-error: true
- name: Archive the PDFs in a private repo
run: ./gradlew -b archive.gradle.kts gitPublishPush --info
This works fine, but I have to use continue-on-error
because otherwise, the second post-run-action (which belongs to the first ssh-agent) fails:
Can I somehow trigger the post-run action manually at an earlier step?
Otherwise, I suggest to check in cleanup.js
, if the process is already killed.
Line 7 in 8789658
This might be obvious, but I'm having a lot of trouble using an SSH key (a deploy key) using this action. I have the following workflow (fragment):
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.DeployKey }}
- name: Checkout the other repository
run: |
git clone [email protected]:Org/RepoName.git
However that gives me:
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I know the deploy key works, and I also know it's correctly inserted as a secret. Any idea why this might be happening?
When using this github action on windows it's not happy as off two days ago.
I currently get the error
unable to start ssh-agent service, error :1058
I am currently trying to figure out what changed on windows 2019 on github actions ...
Hi there,
I'm trying to fetch private repo as a dependency in GitHub Actions for an Elixir/Phoenix application.
ssh-keygen -t ed25519 -a 100 -f /home/ryan/.ssh/github_actions
command and without any passphrasexclip -sel clip < ~/.ssh/github_actions
and pasted the content in the secret
config of the GitHub repository where I wish to run the GitHub Actions with the title SSH_PRIVATE_KEY
xclip -sel clip < ~/.ssh/github_actions.pub
and pasted the content in the deploy_key
config of GitHub under the title GITHUB_ACTIONS_DEPLOY_KEYS
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
Load key "/home/runner/.ssh/id_rsa": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed
##[error]Process completed with exit code 1.
Apparently, the key format is wrong. Which key format should be used?
Not really clear if I'm doing something wrong but I can't push to my remote because key does not exist.
I would expect that key is added to /home/runner/.ssh/id_rsa
and then used from there, but that doesn't seam to be the case.
Any help appreciated, below is my output.
Adding keys:
Run webfactory/[email protected]
4096 SHA256:Ogd8/KGgSFwKpL4mfmEZFBesrshP5P9SYSQzDBQMfHg (stdin) (RSA)
Run webfactory/[email protected]
with:
ssh-private-key: ***
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ((stdin))
Keys added:
4096 SHA256:Ogd8/KGgSFwKpL4mfmEZFBesrshP5P9SYSQzDBQMfHg (stdin) (RSA)
Check if file exists in ~/.ssh/
, not there..
Run ls -al ~/.ssh/
total 12
drwxr-xr-x 2 runner docker 4096 Sep 7 10:05 .
drwxrwxrwx 11 runner docker 4096 Sep 7 10:05 ..
-rw-r--r-- 1 runner docker 994 Sep 7 10:05 known_hosts
Check if file exists in /home/runner/.ssh/
, not there..
Run ls -al /home/runner/.ssh/
total 12
drwxr-xr-x 2 runner docker 4096 Sep 7 10:05 .
drwxrwxrwx 11 runner docker 4096 Sep 7 10:05 ..
-rw-r--r-- 1 runner docker 994 Sep 7 10:05 known_hosts
Runing git push host:branch
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1
Hy @mpdude,
I am trying to use v0.4.1
but it is unable to find by github actions then I tried for the previous version v0.4.0
but it is not working also because --set-env:
is being deprecated by github.
Thanks for providing this action, I am a very happy user!
I have recently stumbled across an issue on Windows with one of my use cases: I am using the action to set up a private key, which I then use to copy large, non-public files with scp
from a VM hosted at my institution to the GitHub runner. The workflow works fine on Linux. On Windows, the action itself is successful, but the scp
operation in a subsequent step fails with Permission denied (publickey).
.
After reading carefully through #63 I was able to actually fix the problem by replacing my plain usage of scp
on Windows with c://progra~1//git//usr//bin//scp.exe
. I am happy to have found this fix, but I really do not like it. I would prefer it if this action could modify the environment such that the correct versions of SSH-related executables are picked up. I can imagine this in both an implicit way (like modifying path variables) or an explicit way (like export e.g. an SCP_BIN
environment variable for the user to use).
Feel free to ignore and close this if you consider it out of scope of the action.
subsequent builds fail with:
Run webfactory/[email protected]
##[error]Node run failed with exit code 1
Run webfactory/[email protected]
Adding GitHub.com keys to undefined/.ssh/known_hosts
Starting ssh-agent
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
##[error]Command failed: ssh-agent -a /tmp/ssh-auth.sock
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
##[error]Node run failed with exit code 1
This is on a local github-runners, which are not ephemeral. Cleaning up the /tmp/ssh-auth.sock manually resolves this problem temporarily.
Not sure if I'm using it wrong but I don't think so.
Also verified that the key added as secret in Github is actually working.
Can anyone that's using this action confirm if it's still working?
It took me forever to figure out, why this action doesn't work if I run the whole workflow inside a container.
The problem is that the Github Action somehow changes/sets the HOME
variable inside the container so that the ~/.ssh/known_hosts
file is at a wrong location.
This action puts the Github PubKeys inside ~/.ssh/known_hosts
which is in the home path of the runner. But the running container normally runs as root
so ssh looks for /root/.ssh/known_hosts
which doesn't exist.
Copying the known_hosts
to this location if the workflow is running inside Docker solves the problem. As I am a total Node noob I just played around with the dist/index.js
file, but putting the following snippet after creating the known_hosts
file the SSH agent also works inside docker:
if(fs.existsSync('/.dockerenv') && child_process.execFileSync('id', ['-u']).toString().trim() === '0') {
fs.mkdirSync('/root/.ssh', { recursive: true});
fs.copyFileSync(`${homeSsh}/known_hosts`, '/root/.ssh/known_hosts');
}
I'm not sure if that somehow breaks running the action in Windows because in Windows there is no id
command. But that shouldn't be a problem because Github Actions currently doesn't allow running non-Linux containers. Also, I don't know if the root
check is even necessary because probably all containers run as root.
Would it be possible to add this snippet to your action so Docker users can also use it? :)
Hi,
I'm trying to build my docker image (it runs like a charm locally). Locally, i pass docker build args with my private and public key (this key is on the second repo). When yarn install calls the private repo, i get an "not authorized".
My config:
name: Docker Image CI (posts@v1)
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: webfactory/ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Build the Docker image
run: docker build --build-arg ssh_prv_key="$(cat key)" --build-arg ssh_pub_key="$(cat key.pub)" . --file Dockerfile --tag mydockerimage/image:$(date +%s)
This action above fails.
This action below, fails too.
What i did wrong?
Thanks
Fabio
Hi, any idea why i have this error ?
Adding GitHub.com keys to /github/home/.ssh/known_hosts
Starting ssh-agent
Error: spawnSync ssh-agent ENOENT
Thank you !
A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to stdout.
Action authors who are using the toolkit should update the @actions/core package to v1.2.6 or greater to get the updated addPath and exportVariable functions.
Action and workflow authors who are setting environment variables via stdout should update any usage of the set-env and add-path workflow commands to use the new environment files.
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
I didn't see anything on this repo discussing this, so I thought I'd bring this to your attention if you hadn't noticed yet. I noticed a warning on my builds regarding the use of this action and the set-env command it's doing.
I have followed the guide to setup a deploy key on a private git repo for a Swift Package.
I generated new SSH in the private SP repo using this command: ssh-keygen -b 4096 -t rsa -N "" -f key -C "[email protected]:my-org/my-swift-package-repo.git"
I have added the .ssh/key files (private/public) and the config file with GitHub.com host to the private SP repo.
I have added the public key as a deploy key on the private SP repo.
I have added the private key as a secret on the other repo that has an app using the SP as a dependency.
No matter what, I get this error:
Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
xcodebuild: error: Could not resolve package dependencies:
10
The remote repository could not be accessed. Make sure a valid repository exists at the specified location and that the correct credentials have been supplied.
Here is my yaml:
- name: Set SSH Key for remote host
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SPM_SSH_PUBLIC_KEY }}
Any help would be greatly appreciated!
Make sure you don't have a passphrase set on the private key.
Any thoughts on adding support keys with passphrases?
I can't use this for our company, as it dumps potentially sensitive private keys straight to the logs.
Unfortunately, it not only exposes them, but also reformats them, meaning the inbuilt github secret masking doesn't catch it.
Followed directions exactly as stated in README but can not get this to work.
Full YAML: https://github.com/Skillz4Killz/gamer-eris/blob/master/.github/workflows/nodejs.yml
This is the error that appears
EDIT: Had an issue with the SSH_PRIVATE_KEY.
I struggled to get Go private modules working and wanted to share my workaround in case it's helpful or the changes can be incorporated. Basically the default .gitconfig
generated when using commented keys doesn't seem to work with go get
and related commands.
The tl;dr is I need the config to go from this:
[url "git@d5ec..:my-org/my-repo.git"]
insteadOf = https://github.com/my-org/my-repo.git
...
to
[url "ssh://git@d5ec.../my-org/my-repo"]
insteadOf = https://github.com/my-org/my-repo
...
The key differences being:
.git
ssh://
formatted. i.e., first :
-> /
, and the scheme.The reason for this seems to be that go interacts with git by specifying the origin as https://github.com/my-org/my-repo
, which works, but won't match the longer (arguably more correct) URL you've put in the config. e.g., internally go is doing git remote add origin -- https://github.com/my-org/my-repo
without a trailing slash or .git
.
I'm currently working around this with this sed script:
sed -i.bak -re '
s|(insteadOf.*https://.*)\.git$|\1|g
s|\[url "(git@[^:]*]?):(.*?)\.git"\]$|[url "ssh://\1/\2"]|g' ~/.gitconfig
NOTE: For anyone else trying to get this working, you will also need GOPRIVATE=github.com/my-org/*
as an environment variable.
I struggle to get this to work with pm2
.
I have create a new SSH key, added it as deploy key in my repo where the action runs. Added it as a secret in the repo too.
Thats the output:
[PM2] Spawning PM2 daemon with pm2_home=/home/runner/.pm2
[PM2] PM2 Successfully daemonized
--> Deploying to production environment
--> on host xxxx
fatal: HEAD does not point to a branch
โ deploying origin/master
โ executing pre-deploy-local
โ hook pre-deploy
Host key verification failed.
โ fetching updates
โ full fetch
Host key verification failed.
fetch failed
The action's usage can be reviewed here
And my pm2 ecosystem file
Error loading key "(stdin)": invalid format
Error: Command failed: ssh-add -
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
Hi, I have been having issue today with this error Command failed: ssh-add -
. I have been using this action for long time and never had a problem, could you help me debug what's wrong?
Here my workflow file:
name: Test Registry packace
on:
push:
branches:
- master
repository_dispatch:
jobs:
publish:
runs-on: ubuntu-latest
name: Publish on the server
steps:
- name: Check out the repo
uses: actions/[email protected]
- name: Login to GitHub Packages Docker Registry
uses: docker/login-action@v1
with:
registry: docker.pkg.github.com
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set SSH key for remote host
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.DO_SSH_KEY }}
- name: Create a docker context for remote machine
run: docker context create digital_ocean --docker="host=${{secrets.DO_HOST}}"
- name: Launch new configuration
run: docker-compose --context digital_ocean -f docker-compose.prod.yml up -d --build --force-recreate
- name: Logout from docker
run: docker logout
And here the error I got.
Hi there,
I'm trying to fetch multiple private repos as dependencies in GitHub Actions for an node/npm application. I'll be upfront, I'm not very knowledgable on ssh keys and ssh authentication in general but I have done a lot of testing to try to debug where I'm going wrong. I'll outline steps I've taken and troubleshooting and results:
A
using: ssh-keygen -t ed25519 -a 100 -f ~/.ssh/keys/A
- this was generated without passphrase - I ran into that issue at firstA.pub
into the A
repo's Deploy Keys and then added the url in the comment field instead of the local identifier that was added to the comments during the keygen process. So the value was something along the lines of ssh-ed25510 *redacted* https://github.com/organization/A
A
into a secret within Repo C
for Github Actions and named it A_PRIVATE_KEY
keygen
the same way for B
B.pub
into B
Deploy Keys and then added url to comment field resulting in something like: ssh-ed25510 *redacted* https://github.com/organization/B
B
into a secret within Repo C
for Github Actions and named it B_PRIVATE_KEY
npm ci
but fails with "ERROR: Repository not found." which I assume is specifically failing to authenticate - uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.A_PRIVATE_KEY }}
${{ secrets.B_PRIVATE_KEY }}
A
key, success with A
repo but fails installing B
repo.Key(s) added:
256 SHA256:/*redacted* [email protected] (ED25519)
256 SHA256:*redacted* [email protected] (ED25519)
Configuring deployment key(s)
Things that seem strange about this:
collinb@
with the url of each private repo in the public keys within each private dependency A
and B
.Configuring deployment keys(s)
and then it's sort of a silent failure. I did test the regex used to make sure I didn't have some sort of incorrect format and the format I was using https://github.com/organization/A
was properly matching.fatal: could not read Username for 'https://github.com': No such device or address
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.B_PRIVATE_KEY }}
${{ secrets.A_PRIVATE_KEY }}
- name: Test Clone
run: |
git clone https://github.com/organization/A.git test-fc-http
git clone [email protected]:organization/A.git test-fc-git
git clone ssh://[email protected]/organization/A.git test-fc-git-ssh
I have been able to successfully install doing
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.A_PRIVATE_KEY }}
- name: Debugging with Git Clone 1
run: git clone ssh://[email protected]/organization/A.git test-a-http
in other repositories but for some reason I am really struggling to get the multiple deploy key setup to work for the private github repositories using npm install
.
collinb@
it will authenticate. I am pretty confident my issue relies in how I've generated the keys or configured my keys with the url and am unsure of my mistake.I'm wondering if you might have any insight or steps that I can try out to try to get this to work on my end or point to how I've miss-configured the keys?
Thanks so much!
When running workflows containing the action the following warning is displayed
"The set-env
command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/"
Unable to process command '##[set-env name=SSH_AUTH_SOCK;]/tmp/ssh-auth.sock' successfully.
Error: The add-path
command is deprecated and will be disabled on November 16th. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
Self explanatory, thanks
Can I pass a passphrase to the action ?
Doesn't it make sense to add ability to add host keys to ~/.ssh/known_hosts
? From what I can see the alternative solution allows this. And you add GitHub host keys to the file anyway.
A workaround:
- name: Add the host key
run: |
line='example.com,xx.xxx.xx.xxx ssh-rsa AAAA...kMIR'
echo "$line" >> ~/.ssh/known_hosts
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.