Please provide `ssh_known_hosts` for GH services in Actions

Dear GitHub,

would it be possible to set up Action worker nodes in a way that we already have the SSH Host Keys for GitHub services (repos, Gists) etc. available in either /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts? 

That would make workflows somewhat more straightforward when we e. g. need to fetch dependencies.

Also, it would be more secure than having to run ssh-keyscan and just accept whatever keys we find. You should be in the best position to always provide the correct and up-to-date keys .

Thanks!

Neat idea.  I can see how this could help.  We’ll take a look.

Did this end up happening? I’m still finding that I have to run the following command from inside my workflows to use Swift Package Manager:

for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

Hey @tonyarnold. Are you able to run Swift package tests with private dependencies? If so can you please share your approach since I can’t make it work for some reason GitHub runner do not use the package’s local .ssh folder and always fails to fetch dependencies. There is a related topic. Thanks!

I am able to check out private Swift packages:

- name: "Set up SSH agent"
  uses: webfactory/ssh-agent@v0.1.1
  with:
    ssh-private-key: ${{ secrets.CI_SSH_PRIVATE_KEY }}

- name: "Add GitHub to the SSH known hosts file"
  run: |
    for ip in $(dig @8.8.8.8 github.com +short); do \
      ssh-keyscan github.com,$ip; \
      ssh-keyscan $ip; \
    done 2>/dev/null >> ~/.ssh/known_hosts

There is one other change you need to make if you’re using Xcode directly, rather than Swift Package Manager, and that is to pass the -usePackageSupportBuiltinSCM flag to xcodebuild.

Once you’ve done this, you should be fine!

@tonyarnold I just want to thank you immensely.

Finding your post, and your comment in regards to the -usePackageSupportBuiltinSCM flag for xcodebuild finally resolved a huge headache with GitHub Actions.