Github Actions: CI - how to use/store deploy key to download from another private repo?

After a full evening of looking at this … its time to ask the stupid questions :wink:

I’ve an (elixir) project which uses a library in another repo. I’ve created a deploy token for that repo which I’ve added as a secret to the consuming application. I’m reasonably certain the below _should_ work:

-name: Install Deps
env:
DEPLOY_KEY: ${{ secrets.deploy_key }}
 run: |
 eval "$(ssh-agent -s)"
 echo "$DEPLOY_KEY" | tr -d '\r' | ssh-add -

 mix deps.get

The dep in question is using the following for the git url: “git@github.com:os6sense/barbaz.git”, which works fine locally.

However I’m getting Host key verification failed., and when I check the length of the secret, its only 51 characters.

I assume that I can’t pass a deploy key in via secrets, I’d prefer not to use an access token, and I can’t find any documentation to help (it might be there, hard to find atm).

Has anyone any suggestion of how to make things work with a deploy key?

5 Likes

Still not solved this although it was immediately obvious after sleep that using the ENV to store this was probably a part of the issue. I’m still having issues when, in order to debug the issue, I store the deploy key along with the repo, so assuming its something in how I’m attempting to use ssh-agent/ssh-add. Documentation would be nice for this :grin:

1 Like

I got this to work using an envvar and a here string:

- name: Clone a remote repo
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
    GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no"
  run: |
    eval "$(ssh-agent -s)"
    ssh-add - <<< "${DEPLOY_KEY}"
    git clone git@github.com:org/repo.git

I think there are two things at work here: first, host checking is on for SSH by default; second, using echo or printf with the secret will only output the scrubbed value (I’m not sure about that, but I tested a few things that suggest it).

Mainly you need to disable SSH host checking with the GIT_SSH_COMMAND envvar, or any other method.

Here is what works for me:

https://www.webfactory.de/blog/use-ssh-key-for-private-repositories-in-github-actions

@mpdudeI probably just don’t understand ssh, but why does your solution require a private key?

Nevermind, I figured it out. For the ignorant (like myself) the agent needs a private key to do Diffie–Hellman key exchange (the colored buckets are quite illustrative). Since the GitHub CI agent is attempting to authenticate against a remote private repository, it needs the private and public keys - private from the DEPLOY_KEY variable and the public key presumably from your github account - to do the key comparison.

Would love to have a better understanding of it, so if I’m wrong anywhere please let me know.

I created an action to simplify this:

https://github.com/marketplace/actions/webfactory-ssh-agent

4 Likes

This is what worked for me:

- run: |
    mkdir ~/.ssh
    echo "${{ secrets.SECRET_PRIVATE_DEPLOY_KEY }}" > ~/.ssh/id_rsa
    chmod 600 ~/.ssh/id_rsa

Additionally you can add the domain name from which you are pulling the repository to know hosts:

ssh-keyscan -t rsa github.com
8 Likes

thx @martinsbalodis your solution finally solved it. Ignoring the dedicated “env:” section solves it - classic somehow :slight_smile:

@martinsbalodis thanks for the tip. This works great! :smile:

1 Like