webfactory / ssh-agent Goto Github PK

I am running a workflow on ubuntu-20.04 with container centos:7.

job-name:
    runs-on: ubuntu-20.04
    container:
      image: centos:7
    steps:
      - uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.SSH_KEY }}
            ${{ secrets.SSH_KEY_2 }}

I get this error while starting the ssh-agent.

Adding GitHub.com keys to /root/.ssh/known_hosts
Starting ssh-agent
Error: spawnSync ssh-agent ENOENT

Can someone help me fix this?

I have set up a Xcode project with a private repository as dependency using Swift Package Manager. Therefore I have to add the ssh key for the dependency. Cloning the repository in a Github Action step is working well, but when I try to build the app in a step with xcodebuild I get the following error:

xcodebuild: error: Could not resolve package dependencies: The server SSH fingerprint failed to verify.

On a self-hosted Agent Instance there pop up some error after building once. The second build shows this:

Run webfactory/[email protected]
bind: Address already in use
Adding GitHub.com keys to /root/.ssh/known_hosts
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
Starting ssh-agent
##[error]Command failed: ssh-agent -a /tmp/ssh-auth.sock
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock

I dont know how i can solve it, do you have an idea?
Best Regards

I want to access two different private repositories that contain packages for an App. I have created one ssh key for each of the two repos, added the private key to the secrets of the App-Repository and the public keys as deploy keys in the private package repositories.

My workflow looks as follow:

- uses: webfactory/[email protected]
      with:
          ssh-private-key: |
              ${{ secrets.SSH_PRIVATE_KEY_APISERVICE }}
              ${{ secrets.SSH_PRIVATE_KEY_WIDGETS }}
    
    - run: git clone [email protected]:[organization-name]/[repository-name1]
    
    - run: git clone [email protected]:[organization-name]/[repository-name2]

The public keys look like the following:

ssh-rsa AA[...]Gj 
[email protected]:[organization-name]/[repository-name1]

Running the workflow produces the following log:

Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-To1irqpM9o5v/agent.1571
SSH_AGENT_PID=1572
Adding private key(s) to agent
Identity added: (stdin) ((stdin))
Identity added: (stdin) ((stdin))
Key(s) added:
2048 SHA256:lF6[...]JsM (stdin) (RSA)
2048 SHA256:Wqc[...]FMbA8 (stdin) (RSA)
Configuring deployment key(s)
Comment for key 'ssh-rsa AA[...]Gj (stdin)' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
Comment for key 'ssh-rsa AA[...]Gb (stdin)' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.
Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

Afterwards, the first git clone command works as excpected, the second one fails with the error:

ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Error: Process completed with exit code 128.

It's always the second clone command that fails, even if I swap the order in which the repositories are cloned.

I'm stuck and don't know if I am doing something wrong, or if this is some Bug with this Action. Any help is very appreciated!

Hey again, seems like I keep on bumping to your actions 👋🏻

I've tried adding this, and I get a successful message

Starting ssh-agent
Adding private key to agent
Identity added: (stdin)

However, when trying to do a clone or submodule init, I get this:

Host key verification failed.
fatal: Could not read from remote repository.

I've tried cloning the repo using the key, and it works on my machine. I've seen a note in keyscan but I'm not really sure if it's the correct command

I used this to no avail
ssh-keyscan -t rsa bitbucket.org | ssh-keygen -lf -

I've spent today trying to get this GitHub action working but no matter what I try it doesn't do anything.

It appears to me as if the steps are no longer connected. For completeness, here's my workflow file.

[...]
  steps:
  - uses: actions/checkout@v1
  - uses: webfactory/[email protected]
    with:
      ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
  - name: 'SSH: trust host'
    run: for ip in $(dig @1.1.1.1 ${DEPLOY_HOST} +short); do ssh-keyscan ${DEPLOY_HOST},$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
    env:
      DEPLOY_HOST: "my-private-host.com"
  - name: "synoa/github-action-git-exec"
    uses: synoa/github-action-git-exec@master
    with:
      git_cmd: "git push user@${DEPLOY_HOST}:/path/to/my/repo.git HEAD:master"           
    env:
      GIT_SSH_COMMAND: "ssh -vvv -o StrictHostKeyChecking=no"
      SSH_AUTH_SOCK: "/tmp/ssh-auth.sock"
      DEPLOY_HOST: "my-private-host.com"

synoa/github-action-git-exec just executes a shell command (see https://github.com/synoa/github-action-git-exec/blob/master/entrypoint.sh#L4).

I've attached an execution log from one of the failed executions:
github-action.log

I've had a lot of "Host verification failed" issues, which according to #6 (comment) can be fixed by adding a script that adds the Host to the known hosts file - this didn't work as well so I highly speculate that GitHub Actions no longer shares its "state" between steps.

When I change my Action to run the following script I can login and push to my remote server without any issues:

[...]
    - name: "synoa/github-action-git-exec"
      uses: synoa/github-action-git-exec@master
      with:
        git_cmd: "mkdir /root/.ssh && echo \"${{ secrets.SSH_PRIVATE_KEY }}\" >  /root/.ssh/id_rsa && chmod 400 /root/.ssh/id_rsa && git push synoa@${DEPLOY_HOST}:/path/to/my/repo.git HEAD:master"           
      env:
        GIT_SSH_COMMAND: "ssh -vvv -o StrictHostKeyChecking=no"
        DEPLOY_HOST: "my-private-host.com"

This command works fine, but adding the same key using this action does not work.

If I can help in any way, please let me know!

This action does not work. I noticed you've hardcoded some public keys and not rely on the SSH-PRIVATE-KEY env var

The motivation for this issue is well related to #36.

In my case, having this action to support passphrases would allow me to use this action prior to running a binary (Terraform) that will clone additional Github Repositories. Those repositories are private and are in a organization that requires SSH keys to have passphrases as a SAML policy.

If supporting it is really out of scope, could you please shed me some light on workarounds for this scenario?

Thanks in advance and great job!

Run webfactory/[email protected]
Adding GitHub.com keys to /Users/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ([email protected])
Keys added:
256 SHA256:< SHA > [email protected] (ED25519)

Could you add an option ( options ) to hide [email protected] in logs?
Also I would like to hide SHA256:< SHA >.

When I build I get the following text in the actions log:

Adding private key(s) to agent
Key(s) added:
3072 SHA256:sgR7...Z7qM [email protected] (RSA)
Configuring deployment key(s)
Comment for key 'ssh-rsa AA...iNk= [email protected]' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

The key was added to ssh-agent and functionality is correct (I'm not using it as a deploy key), but the full text of the private key is leaked in the build logs. Please fix?

Do you have any idea what was wrong with that?
https://github.com/webfactory/ssh-agent/issues/9#issue-526665922

Not exactly a bug, but I found it challenging to find a solution that works with docker build when using multiple deploy keys. The reason seems to be that the build container doesn't have the ssh and git config necessary to map the right key to the right repo.

For example:

      - name: Setup SSH
        uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.DEPLOY_KEY_A }}
            ${{ secrets.DEPLOY_KEY_B }}
      - name: Works Well!
        run: |
          git clone github.com/me/private-repo-a
          git clone github.com/me/private-repo-b
      - name: Doesn't work :(
        run: |
          cat > Dockerfile <<EOF
          FROM debian
          RUN --mount=type=ssh git clone github.com/me/private-repo-a
          RUN --mount=type=ssh git clone github.com/me/private-repo-b
          EOF
          docker build --ssh default .

The docker build has access to the keys, but it doesn't use the right one for each repo, so one of the checkouts will fail.

My solution was to copy the config into the container:

run: |
  mkdir root-config
  cp -r ~/.gitconfig  ~/.ssh root-config/
  docker build ... .

And in my Dockerfile:

COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config

That works, but it feels pretty hacky. I was just wondering if anyone can come up with a better way/wanted to document a way to make it work.

It's unclear how to issue a command on the host once an ssh connection is established. Please provide an example. In the example below, I'd like to run the php command on the host, rather than the action environment.

    - name: SSH Into Env
      uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
    - name: Remotely Create Symbolic Link for Storage
      run: php artisan storage:link

The below regex does not allow capital letters:

This, combined with no console output, can leave the script only performing part of its functionality which may leave some users confused.

I see a few potential remedies here but I'm less familiar with the tool, so wanted to get some input.

It seems we could:

• Adjust the regex to allow capital letters
• Call ToLower() on the key prior to processing it in the regex
• Be explicit about keys not matching and ensuring that we publish a message stating why.

I'll submit PRs for all three options in case you have a preference for one or the other. Also, please let me know if I'm misunderstanding the problem here.

When I want to use your action on macOS environment it produces the following error.

Run webfactory/[email protected]
   with:
    ssh-private-key: ***
  
    ssh-auth-sock: /tmp/ssh-auth.sock
Adding GitHub.com keys to /home/runner/ssh_known_hosts
##[error]ENOENT: no such file or directory, mkdir '/home/runner/.ssh'
##[error]Node run failed with exit code 1

By scanning through the README file and existing issues, I understand that this is probably not an issue with ssh-agent. However, I still couldn't make it work after several attempts.

I want to take advantage of this action to copy test data from my local server.
By following the procedures, first I have

    steps:
    - uses: actions/checkout@v2
    - uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.CI_PRIVATE_KEY }}
    - name: Reference data
      run: |
        scp -o 'ProxyCommand ssh [email protected] -W %h:%p' username@server2:filename .
        cat filename

The private keys should have been properly set, and public keys are added both to the proxy and actual servers.

The runlog first displays

Run webfactory/[email protected]
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) (username@legion5)
Keys added:
256 SHA256:JP1loMqqwOspXFAwP44oeAbuaUV/OlATxEPxrEwOcDs username@legion5 (ED25519)

and then

Run scp -o 'ProxyCommand ssh username@server1 -W %h:%p' username@server2:filename .
Host key verification failed.
ssh_exchange_identification: Connection closed by remote host
Error: Process completed with exit code 1.

After some search, the general suggestion I found for dealing with the Host key verification failed msg was by using ssh-keygen, but I had no luck in a successful attempt. Can you kindly offer me some help?

Thanks!

actions config

runs-on: ubuntu-latest
container:
      image: elixir:1.9.1-slim
      env:
        MIX_ENV: test
steps:
  - name: Checkout
    uses: actions/checkout@v1
  - name: create SSH key
    uses: webfactory/[email protected]
    with:
      ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
  - name: Install Dependencies
    run: |
        git clone [email protected]:zhulinpinyu/sf.git

error log:

Run git clone [email protected]:zhulinpinyu/sf.git
  git clone [email protected]:zhulinpinyu/sf.git
  shell: sh -e {0}
  env:
    SSH_AUTH_SOCK: /tmp/ssh-auth.sock
Cloning into 'sf'...
ssh_askpass: exec(/usr/lib/ssh/ssh-askpass): No such file or directory
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
##[error]Process completed with exit code 128.

Solution: #25 (comment)

Thanks @stevie-

Using GitHub deploy keys as described in the README file does not work in Windows. Using "plain" keys (i. e. without the repo mapping provided in the comment) works, but you might be limited in how many of these keys can be tried before the remote server aborts the connection.

When deploy keys are used, this action writes the public key information (as shown by ssh-add -L) into a file, and configures SSH via IdentityFile to use this identity when connecting to the host. Also, IdentitiesOnly is turned on to try only the particular key.

On Linux systems (at least, the Ubuntu-based virtual action environments) and OS X, this works: It identifies the key to use via the public key part, but fetches the key from the SSH Agent.

On Windows, it fails. Here's the output from the ssh -v level:

debug1: Will attempt key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
debug1: Server accepts key: C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9 ED25519 SHA256:phogSrSHUbBX0b8klUZDZrXx68sb1gat5rDrA67VX4Y explicit
Load key "C:\\Users\\runneradmin/.ssh/5965bf89ab6e2900262e3f6802dfb4d65cb0de539d0fbb97d381e7130a4ba7e9": invalid format

As you can see, SSH on Windows complains that the key is in an invalid format. This is because the file contains the public key part, but IdentityFile should point to a private key file.

There is a bug report over at PowerShell/Win32-OpenSSH#1550 which describes that IdentitiesOnly will make SSH ignore keys from the SSH Agent. However, since removing IdentitiesOnly in this action here does not solve or work around the issue. So, the two things might be related, but it's not exactly the same problem.

One way of working around this would be to write the private key files to disk (at least under Windows), so that ssh can pick the right identity from the file. Writing keys to disk or file, however, is something this action has tried to avoid in the first place: With keys on disk, any subsequent action or process might read/steal the key. With the current action design, the private keys are passed right from GitHub Secrets into the ssh-agent process and cannot be recovered from there later on. So, I'm a bit reluctant to make this change.

I can raise an issue over at https://github.com/PowerShell/Win32-OpenSSH/, however I have no idea if this is the right place to report, how quickly the issue could be fixed and when an update would make it into virtual Windows environments.

Hey there!

Thanks for the great action.
Do you have any opinion on the best way to use this action with docker volumes?

I'm doing this but would like to know if there is a better way?

on: push

name: "Test"

jobs:
  build:
    name: "Test"

    runs-on: ubuntu-latest

    steps:

      - name: "Install SSH Key"
        uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: "Test"
        run: |
          docker run --rm \
            -v $SSH_AUTH_SOCK:/ssh-agent -v ~/.ssh/known_hosts:/root/.ssh/known_hosts -e SSH_AUTH_SOCK=/ssh-agent \
            image \
            bash -c "ssh-add -l && ssh -T [email protected]"

Thanks!

Hello,
I am still facing with fatal error after use webfactory/ssh-agent

fatal: repository 'https://github.com/mycompany/mycompany-package.git/' not found

This is my deploy flow

name: CI Dev

on:
  push:
    branches: [ develop ]

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:

    - name: Set SSH Key Agent
      uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

    - uses: actions/checkout@v2
        
    - name: Install node modules
      run: yarn

This is error

This is package.json

{
    ...
    "mycompany-package": "git+https://github.com/mycompany/mycompany-package.git",
    ....
}

Please help!

Today I started getting the following error when using ssh-agent to set an ssh-private-key:

Error: Unable to process command '::set-env name=SSH_AUTH_SOCK::/tmp/ssh-pt8h3REXijrf/agent.2441' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
Error: Unable to process command '::set-env name=SSH_AGENT_PID::2442' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Will this action now no longer be able to work?

I am trying to install 2 or more private GitHub repositories as an NPM dependency to another project.

In my package.json file, I have dependencies from GitHub in the following format:

    "***-plugin": "git+ssh://[email protected]:***/******.git#1bdfa1248fe92b4ba239aca37c686c72898ccab5",

The following is a part of my github action yml file:

      - name: Setup SSH Keys and known_hosts
        uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.SSH_PRIVATE_KEY }}
            ${{ secrets.ANOTHER_SSH_PRIVATE_KEY }}

The SSH_PRIVATE_KEYs are added as deploy keys to this repo.

In the next step, I try to run npm install.
Now based on the order of the private keys, only one of these dependencies installs successfully.
I have tried to change the order of these ssh keys, which changes the dependency that cannot be installed.

Is it possible to use deploy keys to access both the private repositories in this case?
Let me know if you need more information.

It works fine with multiple repos as documented. However, if there are repos with LFS, it would fail.

One work around is to disable LFS by setting GIT_LFS_SKIP_SMUDGE environment variable to 1.

But there are circumstances where LFS is really needed to obtain large files. Is there plan to support this?

First of all, thanks for this GH-Action :-)

I'm using this action twice in my workflow because using a ssh-agent with multiple keys doesn't seem to work with the Gradle-plugin I'm using to push some data to Git-Repositories over ssh.

[...]
      - uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.WORKFLOW_SSH_KEY }}
        continue-on-error: true
      - name: Push data, if there are any changes
        run: ./gradlew gitPublishPush --info

      - uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.WORKFLOW_SSH_KEY_ARCHIV_REPO }}
        continue-on-error: true
      - name: Archive the PDFs in a private repo
        run: ./gradlew -b archive.gradle.kts gitPublishPush --info

This works fine, but I have to use continue-on-error because otherwise, the second post-run-action (which belongs to the first ssh-agent) fails:

Can I somehow trigger the post-run action manually at an earlier step?

Otherwise, I suggest to check in cleanup.js, if the process is already killed.

This might be obvious, but I'm having a lot of trouble using an SSH key (a deploy key) using this action. I have the following workflow (fragment):

      - uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.DeployKey }}

      - name: Checkout the other repository
        run: |
          git clone [email protected]:Org/RepoName.git

However that gives me:

Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I know the deploy key works, and I also know it's correctly inserted as a secret. Any idea why this might be happening?

When using this github action on windows it's not happy as off two days ago.

I currently get the error

unable to start ssh-agent service, error :1058

I am currently trying to figure out what changed on windows 2019 on github actions ...

Hi there,

I'm trying to fetch private repo as a dependency in GitHub Actions for an Elixir/Phoenix application.

• I created a new public/private key pair with the ssh-keygen -t ed25519 -a 100 -f /home/ryan/.ssh/github_actions command and without any passphrase
• I copied the private key using xclip -sel clip < ~/.ssh/github_actions and pasted the content in the secret config of the GitHub repository where I wish to run the GitHub Actions with the title SSH_PRIVATE_KEY
• I copied the public key using xclip -sel clip < ~/.ssh/github_actions.pub and pasted the content in the deploy_key config of GitHub under the title GITHUB_ACTIONS_DEPLOY_KEYS
• I added these lines in my workflow definition file:

- uses: webfactory/[email protected]
              with:
                  ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

• then I commited the changes/pushed the changes to the repo and let GHA works. However, I get the following error message when the steps for fetching dependencies is triggered:

Load key "/home/runner/.ssh/id_rsa": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed
##[error]Process completed with exit code 1.

Apparently, the key format is wrong. Which key format should be used?

Not really clear if I'm doing something wrong but I can't push to my remote because key does not exist.
I would expect that key is added to /home/runner/.ssh/id_rsa and then used from there, but that doesn't seam to be the case.
Any help appreciated, below is my output.

Adding keys:

Run webfactory/[email protected]
4096 SHA256:Ogd8/KGgSFwKpL4mfmEZFBesrshP5P9SYSQzDBQMfHg (stdin) (RSA)
Run webfactory/[email protected]
  with:
    ssh-private-key: ***
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ((stdin))
Keys added:
4096 SHA256:Ogd8/KGgSFwKpL4mfmEZFBesrshP5P9SYSQzDBQMfHg (stdin) (RSA)

Check if file exists in ~/.ssh/, not there..

Run ls -al  ~/.ssh/
total 12
drwxr-xr-x  2 runner docker 4096 Sep  7 10:05 .
drwxrwxrwx 11 runner docker 4096 Sep  7 10:05 ..
-rw-r--r--  1 runner docker  994 Sep  7 10:05 known_hosts

Check if file exists in /home/runner/.ssh/, not there..

Run ls -al /home/runner/.ssh/
total 12
drwxr-xr-x  2 runner docker 4096 Sep  7 10:05 .
drwxrwxrwx 11 runner docker 4096 Sep  7 10:05 ..
-rw-r--r--  1 runner docker  994 Sep  7 10:05 known_hosts

Runing git push host:branch

debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1

Hy @mpdude,

I am trying to use v0.4.1 but it is unable to find by github actions then I tried for the previous version v0.4.0 but it is not working also because --set-env: is being deprecated by github.

Thanks for providing this action, I am a very happy user!

I have recently stumbled across an issue on Windows with one of my use cases: I am using the action to set up a private key, which I then use to copy large, non-public files with scp from a VM hosted at my institution to the GitHub runner. The workflow works fine on Linux. On Windows, the action itself is successful, but the scp operation in a subsequent step fails with Permission denied (publickey)..

After reading carefully through #63 I was able to actually fix the problem by replacing my plain usage of scp on Windows with c://progra~1//git//usr//bin//scp.exe. I am happy to have found this fix, but I really do not like it. I would prefer it if this action could modify the environment such that the correct versions of SSH-related executables are picked up. I can imagine this in both an implicit way (like modifying path variables) or an explicit way (like export e.g. an SCP_BIN environment variable for the user to use).

Feel free to ignore and close this if you consider it out of scope of the action.

subsequent builds fail with:

Run webfactory/[email protected]
##[error]Node run failed with exit code 1
Run webfactory/[email protected]
Adding GitHub.com keys to undefined/.ssh/known_hosts
Starting ssh-agent
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock
##[error]Command failed: ssh-agent -a /tmp/ssh-auth.sock
bind: Address already in use
unix_listener: cannot bind to path: /tmp/ssh-auth.sock

##[error]Node run failed with exit code 1

This is on a local github-runners, which are not ephemeral. Cleaning up the /tmp/ssh-auth.sock manually resolves this problem temporarily.

Not sure if I'm using it wrong but I don't think so.

Also verified that the key added as secret in Github is actually working.

Can anyone that's using this action confirm if it's still working?

It took me forever to figure out, why this action doesn't work if I run the whole workflow inside a container.
The problem is that the Github Action somehow changes/sets the HOME variable inside the container so that the ~/.ssh/known_hosts file is at a wrong location.
This action puts the Github PubKeys inside ~/.ssh/known_hosts which is in the home path of the runner. But the running container normally runs as root so ssh looks for /root/.ssh/known_hosts which doesn't exist.
Copying the known_hosts to this location if the workflow is running inside Docker solves the problem. As I am a total Node noob I just played around with the dist/index.js file, but putting the following snippet after creating the known_hosts file the SSH agent also works inside docker:

    if(fs.existsSync('/.dockerenv') && child_process.execFileSync('id', ['-u']).toString().trim() === '0') {
        fs.mkdirSync('/root/.ssh', { recursive: true});
        fs.copyFileSync(`${homeSsh}/known_hosts`, '/root/.ssh/known_hosts');
    }

I'm not sure if that somehow breaks running the action in Windows because in Windows there is no id command. But that shouldn't be a problem because Github Actions currently doesn't allow running non-Linux containers. Also, I don't know if the root check is even necessary because probably all containers run as root.

Would it be possible to add this snippet to your action so Docker users can also use it? :)

Hi,

I'm trying to build my docker image (it runs like a charm locally). Locally, i pass docker build args with my private and public key (this key is on the second repo). When yarn install calls the private repo, i get an "not authorized".

My config:

name: Docker Image CI (posts@v1)

on: [push]

jobs:

build:

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- name: webfactory/ssh-agent
  uses: webfactory/[email protected]
  with:
      ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Build the Docker image
  run: docker build --build-arg ssh_prv_key="$(cat key)" --build-arg ssh_pub_key="$(cat key.pub)" . --file Dockerfile --tag mydockerimage/image:$(date +%s)

This action above fails.

This action below, fails too.

• name: Build the Docker image
  run: docker build . --file Dockerfile --tag mydockerimage/image:$(date +%s)

What i did wrong?

Thanks

Fabio

Hi, any idea why i have this error ?

Adding GitHub.com keys to /github/home/.ssh/known_hosts
Starting ssh-agent
Error: spawnSync ssh-agent ENOENT

Thank you !

A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to stdout.

Action authors who are using the toolkit should update the @actions/core package to v1.2.6 or greater to get the updated addPath and exportVariable functions.

Action and workflow authors who are setting environment variables via stdout should update any usage of the set-env and add-path workflow commands to use the new environment files.

https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

I didn't see anything on this repo discussing this, so I thought I'd bring this to your attention if you hadn't noticed yet. I noticed a warning on my builds regarding the use of this action and the set-env command it's doing.

I have followed the guide to setup a deploy key on a private git repo for a Swift Package.

I generated new SSH in the private SP repo using this command: ssh-keygen -b 4096 -t rsa -N "" -f key -C "[email protected]:my-org/my-swift-package-repo.git"
I have added the .ssh/key files (private/public) and the config file with GitHub.com host to the private SP repo.
I have added the public key as a deploy key on the private SP repo.
I have added the private key as a secret on the other repo that has an app using the SP as a dependency.

No matter what, I get this error:

Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

xcodebuild: error: Could not resolve package dependencies:
10
  The remote repository could not be accessed. Make sure a valid repository exists at the specified location and that the correct credentials have been supplied.

Here is my yaml:

      - name: Set SSH Key for remote host
        uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.SPM_SSH_PUBLIC_KEY }}

Any help would be greatly appreciated!

Make sure you don't have a passphrase set on the private key.

Any thoughts on adding support keys with passphrases?

I can't use this for our company, as it dumps potentially sensitive private keys straight to the logs.

Unfortunately, it not only exposes them, but also reformats them, meaning the inbuilt github secret masking doesn't catch it.

Followed directions exactly as stated in README but can not get this to work.

Full YAML: https://github.com/Skillz4Killz/gamer-eris/blob/master/.github/workflows/nodejs.yml

This is the error that appears

EDIT: Had an issue with the SSH_PRIVATE_KEY.

I struggled to get Go private modules working and wanted to share my workaround in case it's helpful or the changes can be incorporated. Basically the default .gitconfig generated when using commented keys doesn't seem to work with go get and related commands.

The tl;dr is I need the config to go from this:

[url "git@d5ec..:my-org/my-repo.git"]
	insteadOf = https://github.com/my-org/my-repo.git
        ...

to

[url "ssh://git@d5ec.../my-org/my-repo"]
	insteadOf = https://github.com/my-org/my-repo
	...

The key differences being:

• urls do not end with .git
• url needs to be ssh:// formatted. i.e., first : -> /, and the scheme.

The reason for this seems to be that go interacts with git by specifying the origin as https://github.com/my-org/my-repo, which works, but won't match the longer (arguably more correct) URL you've put in the config. e.g., internally go is doing git remote add origin -- https://github.com/my-org/my-repo without a trailing slash or .git.

I'm currently working around this with this sed script:

          sed -i.bak -re '
          s|(insteadOf.*https://.*)\.git$|\1|g
          s|\[url "(git@[^:]*]?):(.*?)\.git"\]$|[url "ssh://\1/\2"]|g' ~/.gitconfig

NOTE: For anyone else trying to get this working, you will also need GOPRIVATE=github.com/my-org/* as an environment variable.

I struggle to get this to work with pm2.

I have create a new SSH key, added it as deploy key in my repo where the action runs. Added it as a secret in the repo too.

Thats the output:

[PM2] Spawning PM2 daemon with pm2_home=/home/runner/.pm2
[PM2] PM2 Successfully daemonized
--> Deploying to production environment
--> on host xxxx
fatal: HEAD does not point to a branch
  ○ deploying origin/master
  ○ executing pre-deploy-local
  ○ hook pre-deploy
Host key verification failed.
  ○ fetching updates
  ○ full fetch
Host key verification failed.


  fetch failed

The action's usage can be reviewed here

And my pm2 ecosystem file

Error loading key "(stdin)": invalid format
Error: Command failed: ssh-add -

https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Hi, I have been having issue today with this error Command failed: ssh-add -. I have been using this action for long time and never had a problem, could you help me debug what's wrong?

Here my workflow file:

name: Test Registry packace

on:
  push:
    branches:
      - master
  repository_dispatch:

jobs:
  publish:
    runs-on: ubuntu-latest
    name: Publish on the server
    steps:
      - name: Check out the repo
        uses: actions/[email protected]

      - name: Login to GitHub Packages Docker Registry
        uses: docker/login-action@v1
        with:
          registry: docker.pkg.github.com
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set SSH key for remote host
        uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.DO_SSH_KEY }}

      - name: Create a docker context for remote machine
        run: docker context create digital_ocean --docker="host=${{secrets.DO_HOST}}"

      - name: Launch new configuration
        run: docker-compose --context digital_ocean -f docker-compose.prod.yml up -d --build --force-recreate

      - name: Logout from docker
        run: docker logout

And here the error I got.

Hi there,

I'm trying to fetch multiple private repos as dependencies in GitHub Actions for an node/npm application. I'll be upfront, I'm not very knowledgable on ssh keys and ssh authentication in general but I have done a lot of testing to try to debug where I'm going wrong. I'll outline steps I've taken and troubleshooting and results:

Steps taken so far:

1. Generated key for Private Repo A using: ssh-keygen -t ed25519 -a 100 -f ~/.ssh/keys/A - this was generated without passphrase - I ran into that issue at first
2. Copied value from A.pub into the A repo's Deploy Keys and then added the url in the comment field instead of the local identifier that was added to the comments during the keygen process. So the value was something along the lines of ssh-ed25510 *redacted* https://github.com/organization/A
3. Copied value from A into a secret within Repo C for Github Actions and named it A_PRIVATE_KEY
4. keygen the same way for B
5. Copied value from B.pub into B Deploy Keys and then added url to comment field resulting in something like: ssh-ed25510 *redacted* https://github.com/organization/B
6. Copied value from B into a secret within Repo C for Github Actions and named it B_PRIVATE_KEY
7. Added both keys per the docs (see code example 1)
8. Github Action does an npm ci but fails with "ERROR: Repository not found." which I assume is specifically failing to authenticate

Code Example 1

    - uses: webfactory/[email protected]
      with:
        ssh-private-key: |
          ${{ secrets.A_PRIVATE_KEY }}
          ${{ secrets.B_PRIVATE_KEY }}

Troubleshooting/debugging:

• I've tested with just a single key and depending on the key that is used, the errors will appropriately display (using A key, success with A repo but fails installing B repo.
• I have found that the output messaging is not what I would expect it to be:

Key(s) added:
256 SHA256:/*redacted* [email protected] (ED25519)
256 SHA256:*redacted* [email protected] (ED25519)
Configuring deployment key(s)

Things that seem strange about this:

• I have replaced the comment collinb@ with the url of each private repo in the public keys within each private dependency A and B.
• I was expecting to see additional stdout for each key but nothing every shows other than Configuring deployment keys(s) and then it's sort of a silent failure. I did test the regex used to make sure I didn't have some sort of incorrect format and the format I was using https://github.com/organization/A was properly matching.
• I added a test clone step (code example 2) to try to mirror what you are doing in your repo but this fails with fatal: could not read Username for 'https://github.com': No such device or address

Code Example 2

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: webfactory/[email protected]
      with:
        ssh-private-key: |
          ${{ secrets.B_PRIVATE_KEY }}
          ${{ secrets.A_PRIVATE_KEY }}
    - name: Test Clone
      run: |
        git clone https://github.com/organization/A.git test-fc-http
        git clone [email protected]:organization/A.git test-fc-git
        git clone ssh://[email protected]/organization/A.git test-fc-git-ssh

I have been able to successfully install doing

    - uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.A_PRIVATE_KEY }}
    - name: Debugging with Git Clone 1
       run: git clone ssh://[email protected]/organization/A.git test-a-http

in other repositories but for some reason I am really struggling to get the multiple deploy key setup to work for the private github repositories using npm install.

• Tested out different combinations of manual install and keys and have noticed that it will fail to authenticate when I use the comment field for the url of the repo in the public key. But if I switch it back to the collinb@ it will authenticate. I am pretty confident my issue relies in how I've generated the keys or configured my keys with the url and am unsure of my mistake.

I'm wondering if you might have any insight or steps that I can try out to try to get this to work on my end or point to how I've miss-configured the keys?

Thanks so much!

When running workflows containing the action the following warning is displayed

"The set-env command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/"

Unable to process command '##[set-env name=SSH_AUTH_SOCK;]/tmp/ssh-auth.sock' successfully.

Error: The add-path command is deprecated and will be disabled on November 16th. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Self explanatory, thanks

Can I pass a passphrase to the action ?

Doesn't it make sense to add ability to add host keys to ~/.ssh/known_hosts? From what I can see the alternative solution allows this. And you add GitHub host keys to the file anyway.

A workaround:

    - name: Add the host key
      run: |
        line='example.com,xx.xxx.xx.xxx ssh-rsa AAAA...kMIR'
        echo "$line" >> ~/.ssh/known_hosts