Using an SSH Keypair to grant access to private dependencies
(Interested in a simpler solution? Check out how to use Personal Access Tokens instead)
To grab private dependencies in our GitHub Action, we'll need to do a few things:
- Generate a new SSH keypair
- Add the Public key to the dependency's Deploy Keys
- Add the Private key to your project's Secrets
- Update your workflow file
We'll take it step-by-step.
(Heads Up: As the name implies, the "Private Key" is Private! Don't share it with anyone)
We need to securely grant our project (read-only) access to our dependency. To do this, we generate an SSH keypair.
(If you're already familiar with this process, you can go ahead and skip to Adding Your Keypairs.)
PUTTYgen instructions
On Windows, you'll use PUTTYgen. Hit the Windows key and type puttygen.
If you see the application, go ahead and open it. If you don't see it, you'll need to download it: https://www.putty.org/
First, change the "Number of bits in a generated key:" to 4096 (optional). Then we'll just click "Generate"
You'll be asked to jiggle your mouse around to generate some randomness. Just do a little dance with your mouse until it's done (or continue if you want to!).
Now your public/private keys are generated. You want to save both the "Public" and "Private" keys. Click each of the buttons, saving them somewhere that you can find them (make sure you can tell the difference between the two! You could name one "sshkey-public" and the other "sshkey-private").
Make sure you don't set a password on this key!
Great! You're all set. Now you can continue to the Adding Your Keypairs. section.
ssh-keygen instructions
Generating the keypairs is a lot easier on a ✨ uNiX syStEm ✨
Assuming you have the ssh-keygen tool (you'll quickly find out if you don't! - just download it if you need it), run the following command.
Just hit [Enter] through all of the prompts. You don't want a password on this keypair.
ssh-keygen -o -a 100 -t ed25519 -f ~/gluatest_exampleIn your home directory, you'll end up with something that looks like this:
The .pub is, of course, the Public key. The other one is the Private key.
There you go! You can continue to the Adding Your Keypairs. section.
(This section assumes both repositories are hosted on GitHub. You'll need to translate for other git hosts.)
Okay, so let's get a few things straight.
There are two code repositories involved here:
- Your Project (the project that you're adding GLuaTest to, which requires The Dependency to run)
- The Dependency (the project that your project requires)
We need to add the Private Key to Your Project. Open Your Project's settings, go to "Secrets", then "Actions":
Now we'll create a new Repository Secret:
The Name of the secret will be SSH_PRIVATE_KEY (or whatever you'd like, just remember to use that same name later in the instructions).
Now paste your Private Key into the Value input:
Save that Secret.
Now we need to add the Public Key to The Dependency. Open The Dependency's settings, go to "Deploy Keys":
- Call it something that explains that it's used for GLuaTest, then paste your Public Key into the
Keyinput. (Do not select "Allow write access")
Okay! You're finally done with SSH Keys!
Your Project's existing Workflow might look something like this:
name: GLuaTest Runner
on:
pull_request:
jobs:
run-tests:
uses: CFC-Servers/GLuaTest/.github/workflows/run_tests.yml@main
with:
gamemode: "darkrp"We just need to add a reference to the SSH key in there:
name: GLuaTest Runner
on:
pull_request:
jobs:
run-tests:
uses: CFC-Servers/GLuaTest/.github/workflows/run_tests.yml@main
with:
gamemode: "darkrp"
+ ssh-private-key: "${{ secrets.SSH_PRIVATE_KEY }}"DONE - your GLuaTest workflow should have read-only access to your dependency.
You can (and should!) delete the generated keypair files (the public and private key) from your machine.