GithubHelp home page GithubHelp logo

tanmancan / action-setup-ssh-agent-key Goto Github PK

View Code? Open in Web Editor NEW
4.0 2.0 0.0 24 KB

Configure SSH key and persist the ssh-agent across all steps in a job.

License: GNU General Public License v3.0

action-setup-ssh-agent-key's Introduction

Setup SSH Agent and Key

Configure SSH key and persist the ssh-agent across all steps in a job.

Inputs

name description default
ssh-auth-sock Use a custom unix socket to bind the ssh-agent. /tmp/ssh_auth.sock
ssh-private-key Add a private key to the ssh-agent. -
ssh-public-key Add a public key to known_hosts. Format should be "{hostname} {key-type} {key}". -

How to Use

ssh-auth-sock

Set a custom path for the Unix socket. If none provided, a default path will be used. The ssh-agent will bind to this socket via ssh-agent -a [SOCKET_PATH]. You can only set this value once. After the agent is started, you can no longer modify the socket path.

- uses: tanmancan/[email protected]
  with:
    # Optional path to the unix socket
    ssh-auth-sock: /tmp/my_custom.sock

- uses: tanmancan/[email protected]
  with:
    # This will not do anything since the agent is already running
    ssh-auth-sock: /tmp/a_different.sock

ssh-private-key

Adds a private key to the agent via ssh-add. Highly recommended that you use a secret to store this value. If you want to add multiple private keys, you have to do it via separate uses command:

# Set first private key
- uses: tanmancan/[email protected]
  with:
    ssh-private-key: ${{ secrets.PRIVATE_KEY_ONE }}
  # Key for a first server
  run: ssh -T [email protected] "some_command"

# Set second private key
- uses: tanmancan/[email protected]
  with:
    ssh-private-key: ${{ secrets.PRIVATE_KEY_TWO }}
  # Key for a second server
  run: ssh -T [email protected] "some_command"

ssh-public-key

Adds a public key to the ~/.ssh/known_hosts file. This helps verify the identity of the remote server. The format for this should be {hostname} {key-type} {key}:

server.example.com ssh-rsa AAAAabb1234abcd...

It is highly recommended you use a secret to store this value. You may add multiple public key:

# Set first public key
- uses: tanmancan/[email protected]
  with:
    ssh-public-key: ${{ secrets.PUBLIC_KEY_ONE }}
# Set second public key
- uses: tanmancan/[email protected]
  with:
    ssh-public-key: ${{ secrets.PUBLIC_KEY_TWO }}

Example in an workflow.

name: CI
on:
  workflow_dispatch:
jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - uses: tanmancan/[email protected]
        with:
          ssh-auth-sock: /tmp/my_auth.sock
          ssh-private-key: ${{ secrets.PRIVATE_KEY_ONE }}
          ssh-public-key: ${{ secrets.PUBLIC_KEY_ONE }}

      - name: SSH Command Example
        run: ssh -T [email protected]
        ...

      # Adds new private and public key to use with a second remote system
      - uses: tanmancan/[email protected]
        with:
          ssh-private-key: ${{ secrets.PRIVATE_KEY_TWO }}
          ssh-public-key: ${{ secrets.PUBLIC_KEY_TWO }}

      - name: Another SSH Command Example
        run: ssh -T [email protected]
        ...

Why use this

Summary

Each step runs in its own process and has its own environment variable. This action exports SSH_AUTH_SOCK from a step to a global variable, so any subsequent steps can communicate with the ssh-agent.

How the ssh-agent communicates

When you start a ssh-agent via eval `ssh-agent`, it will bind to a unix socket located in /tmp/ssh-XXXXXXXXXX/agent.pid. This socket will be exported to a variable called SSH_AUTH_SOCK.

Other process will look for this socket in SSH_AUTH_SOCK and use it to communicate with the agent. For example, ssh-add uses the socket to add identities to the agent.

If the agent is not running, or if the SSH_AUTH_SOCK is empty, you may see the following error:

ssh-add
# If SSH_AUTH_SOCK is empty, then outputs
Could not open a connection to your authentication agent.

Steps in a job do not share environment

Each step in a job runs in its own process and has is own environment. This means if you start the ssh-agentin one step, other steps won't be able to use the exported SSH_AUTH_SOCK.

# Starts ssh-agent, adds keys, echo SSH_AUTH_SOCK, and
# ssh into github.
- name: Configure SSH
  run: |
    eval `ssh-agent -s`
    ssh-add - <<< "${{ secrets.PRIVATE_KEY }}"

    echo $SSH_AUTH_SOCK
    ssh -T [email protected]
  continue-on-error: true

# Echoes SSH_AUTH_SOCK and ssh into github
- name: Run SSH
  run: |
    echo $SSH_AUTH_SOCK
    ssh -T [email protected]
  continue-on-error: true

The first step will print the location of the SSH_AUTH_SOCK and a success message from Github:

...
/tmp/ssh-XXXXXXXXX/agent.XXXX
...
Hi user/testing! You've successfully authenticated, but GitHub does not provide shell access

But the second step will print an empty value for SSH_AUTH_SOCK and a permission denied message from Github.

# Empty line from echo SSH_AUTH_SOCK

[email protected]: Permission denied (publickey).

Using workflow environment to share data between steps.

To get around this, we can export our local SSH_AUTH_SOCK to a global workflow environment. This way all steps within a job will be able to access the SSH_AUTH_SOCK.

To export a local variable to the workflow environment, you can run the following command:

echo "{name}={value}" >> $GITHUB_ENV
- name: Configure SSH
  run: |
    eval `ssh-agent -s`
    ssh-add - <<< "${{ secrets.PRIVATE_KEY }}"

    # Export SSH_AUTH_SOCK to the workflow env
    echo "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}" >> $GITHUB_ENV
  ...

# Echoes SSH_AUTH_SOCK and ssh into github
- name: Run SSH
  run: |
    echo $SSH_AUTH_SOCK
    ssh -T [email protected]
  continue-on-error: true

The second will now be print the SSH_AUTH_SOCK and successfully ssh into Github.

/tmp/ssh-XXXXXXXXX/agent.XXXX
...
Hi user/testing! You've successfully authenticated, but GitHub does not provide shell access.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.