Please provide `ssh_known_hosts` for GH services in Actions

Dear GitHub,

would it be possible to set up Action worker nodes in a way that we already have the SSH Host Keys for GitHub services (repos, Gists) etc. available in either /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts

That would make workflows somewhat more straightforward when we e. g. need to fetch dependencies.

Also, it would be more secure than having to run ssh-keyscan and just accept whatever keys we find. You should be in the best position to always provide the correct and up-to-date keys :wink:.



Neat idea.  I can see how this could help.  We’ll take a look.


Did this end up happening? I’m still finding that I have to run the following command from inside my workflows to use Swift Package Manager:

for ip in $(dig @ +short); do ssh-keyscan,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
1 Like

Hey @tonyarnold. Are you able to run Swift package tests with private dependencies? If so can you please share your approach since I can’t make it work for some reason GitHub runner do not use the package’s local .ssh folder and always fails to fetch dependencies. There is a related topic. Thanks!

I am able to check out private Swift packages:

- name: "Set up SSH agent"
  uses: webfactory/ssh-agent@v0.1.1
    ssh-private-key: ${{ secrets.CI_SSH_PRIVATE_KEY }}

- name: "Add GitHub to the SSH known hosts file"
  run: |
    for ip in $(dig @ +short); do \
      ssh-keyscan,$ip; \
      ssh-keyscan $ip; \
    done 2>/dev/null >> ~/.ssh/known_hosts

There is one other change you need to make if you’re using Xcode directly, rather than Swift Package Manager, and that is to pass the -usePackageSupportBuiltinSCM flag to xcodebuild.

Once you’ve done this, you should be fine!


@tonyarnold I just want to thank you immensely.

Finding your post, and your comment in regards to the -usePackageSupportBuiltinSCM flag for xcodebuild finally resolved a huge headache with GitHub Actions.


I managed to fix this issue by using ssh for all my private packages and also adding the following to my GitHub action workflow file:

  1. -usePackageSupportBuiltinSCM flag to Xcode build step
  2. adding a run step to add the above SSH key prior to running Xcode build.
- name: Add CI SSH Key
  run: ssh-add - <<< "${{ secrets.CI_SSH_KEY }}"

@tonyarnold I’m using fastlane, do you know how to pass -usePackageSupportBuiltinSCM to build_app?

Currently, I have tried and failed :smiley: