Skip to content

This action modifies the Git and SSH configuration with the specified GitHub deploy keys to access other private repositories on the GitHub-hosted Windows, Linux, and macOS runners.

License

Notifications You must be signed in to change notification settings

maroontress/deploy-keys

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Deploy Keys action

This action modifies the Git and SSH configuration with the specified GitHub deploy keys to access other private repositories on the GitHub-hosted Windows, Linux, and macOS runners.

Note that this action does not use ssh-agent.

Inputs

keys

Required Deploy keys of other private repositories.

To create a deploy key available for this action, you need to embed the SSH URL of the repository into the key comment. For instance, if the SSH URL of the repository is git@github.com:foo/bar.git, you can create the deploy key using the following command: ssh-keygen … -C 'git@github.com:foo/bar.git'.

Example usage

    steps:
    - name: Setting up deploy keys
      uses: maroontress/deploy-keys@v1
      with:
        keys: |
          ${{ secret.BAR_DEPLOY_KEY }}
          ${{ secret.BAZ_DEPLOY_KEY }}
    - name: Clone the private repositories
      shell: bash
      run: |
        git clone --depth 1 git@github.com:foo/bar.git
        git clone --depth 1 git@github.com:foo/baz.git

Please use a full-length commit SHA instead of the tag like v1. For a more realistic example, see here.

How it works

This action assigns a unique fake hostname to each repository in the Git layer, converts the fake hostname to github.com in the SSH layer, and associates the fake host with the SSH key of the corresponding repository.

1. git config

This action modifies the ~/.gitconfig file by executing git config with url.<base>.instantOf variables for each deploy key. After running this action, you can check the configuration with git config --global --list, which prints as follows:

url.git@fake0.github.com:foo/bar.insteadof=git@github.com:foo/bar
url.git@fake1.github.com:foo/baz.insteadof=git@github.com:foo/baz

2. ~/.ssh/config and ~/.ssh/known_hosts

This action overwrites ~/.ssh/config. After running this action, the content of ~/.ssh/config will be as follows:

Host fake0.github.com
  HostName github.com
  IdentityFile C:\Users\runneradmin\.ssh\fake0.github.com
  IdentitiesOnly yes

Host fake1.github.com
  HostName github.com
  IdentityFile C:\Users\runneradmin\.ssh\fake1.github.com
  IdentitiesOnly yes

The path of IdentityFile will vary depending on the platform (the above example is on the Windows runner).

This action also creates ~/.ssh/known_hosts containing the SSH public key of github.com.

3. SSH private keys in ~/.ssh

This action creates ~/.ssh/fakeN.github.com (N = 0, 1, …) files to save the deploy keys (i.e., the SSH private keys). These files are referenced by the IdentityFile entries in ~/.ssh/config.

Remarks

Don't use this action on the persistent self-hosted runners.

For serious use of this action, to mitigate the security risks, you should:

It is also advisable to audit the source code of this action before use.

Build

See Commit, tag, and push your action to GitHub — Creating a JavaScript action.

sudo npm i -g @vercel/ncc
ncc build index.js --license licenses.txt

Lint

npx eslint index.js

About

This action modifies the Git and SSH configuration with the specified GitHub deploy keys to access other private repositories on the GitHub-hosted Windows, Linux, and macOS runners.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published