Please provide `ssh_known_hosts` for GH services in Actions

mpdude · May 23, 2020, 5:37am

Dear GitHub,

would it be possible to set up Action worker nodes in a way that we already have the SSH Host Keys for GitHub services (repos, Gists) etc. available in either /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts?

That would make workflows somewhat more straightforward when we e. g. need to fetch dependencies.

Also, it would be more secure than having to run ssh-keyscan and just accept whatever keys we find. You should be in the best position to always provide the correct and up-to-date keys .

Thanks!

ethomson · May 23, 2020, 6:09am

Neat idea. I can see how this could help. We’ll take a look.

tonyarnold · May 23, 2020, 6:09am

Did this end up happening? I’m still finding that I have to run the following command from inside my workflows to use Swift Package Manager:

for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

3a4oT · June 4, 2020, 9:10am

Hey @tonyarnold. Are you able to run Swift package tests with private dependencies? If so can you please share your approach since I can’t make it work for some reason GitHub runner do not use the package’s local .ssh folder and always fails to fetch dependencies. There is a related topic. Thanks!

tonyarnold · June 4, 2020, 11:38pm

I am able to check out private Swift packages:

- name: "Set up SSH agent"
  uses: webfactory/ssh-agent@v0.1.1
  with:
    ssh-private-key: ${{ secrets.CI_SSH_PRIVATE_KEY }}

- name: "Add GitHub to the SSH known hosts file"
  run: |
    for ip in $(dig @8.8.8.8 github.com +short); do \
      ssh-keyscan github.com,$ip; \
      ssh-keyscan $ip; \
    done 2>/dev/null >> ~/.ssh/known_hosts

There is one other change you need to make if you’re using Xcode directly, rather than Swift Package Manager, and that is to pass the -usePackageSupportBuiltinSCM flag to xcodebuild.

Once you’ve done this, you should be fine!

saudeon · July 20, 2020, 7:16pm

@tonyarnold I just want to thank you immensely.

Finding your post, and your comment in regards to the -usePackageSupportBuiltinSCM flag for xcodebuild finally resolved a huge headache with GitHub Actions.

BrentMifsud · December 23, 2020, 4:01am

I managed to fix this issue by using ssh for all my private packages and also adding the following to my GitHub action workflow file:

-usePackageSupportBuiltinSCM flag to Xcode build step
adding a run step to add the above SSH key prior to running Xcode build.

- name: Add CI SSH Key
  run: ssh-add - <<< "${{ secrets.CI_SSH_KEY }}"

dkulundzic · March 18, 2021, 1:55pm

@tonyarnold I’m using fastlane, do you know how to pass -usePackageSupportBuiltinSCM to build_app?

Currently, I have tried and failed