Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 3
Message 1 of 8

Github Actions: CI - how to use/store deploy key to download from another private repo?

After a full evening of looking at this ... its time to ask the stupid questions ;)

 

I've an (elixir) project which uses a library in another repo. I've created a deploy token for that repo which I've added as a secret to the consuming application. I'm reasonably certain the below _should_ work:

 

-name: Install Deps
env:
DEPLOY_KEY: ${{ secrets.deploy_key }} run: | eval "$(ssh-agent -s)" echo "$DEPLOY_KEY" | tr -d '\r' | ssh-add - mix deps.get

The dep in question is using the following for the git url: "git@github.com:os6sense/barbaz.git", which works fine locally.

 

However I'm getting `Host key verification failed.`, and when I check the length of the secret, its only 51 characters.

 

I assume that I can't pass a deploy key in via secrets, I'd prefer not to use an access token, and I can't find any documentation to help (it might be there, hard to find atm).

 

Has anyone any suggestion of how to make things work with a deploy key?

7 Replies
Highlighted
Copilot Lvl 3
Message 2 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

Still not solved this although it was immediately obvious after sleep that using the ENV to store this was probably a part of the issue. I'm still having issues when, in order to debug the issue, I store the deploy key along with the repo, so assuming its something in how I'm attempting to use ssh-agent/ssh-add. Documentation would be nice for this :grin:

Highlighted
Copilot Lvl 2
Message 3 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

I got this to work using an envvar and a here string:

 

- name: Clone a remote repo
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
    GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no"
  run: |
    eval "$(ssh-agent -s)"
    ssh-add - <<< "${DEPLOY_KEY}"
    git clone git@github.com:org/repo.git

 

I think there are two things at work here: first, host checking is on for SSH by default; second, using echo or printf with the secret will only output the scrubbed value (I'm not sure about that, but I tested a few things that suggest it).

 

Mainly you need to disable SSH host checking with the GIT_SSH_COMMAND envvar, or any other method.

Highlighted
Pilot Lvl 1
Message 4 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

Highlighted
Copilot Lvl 2
Message 5 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

@mpdudeI probably just don't understand ssh, but why does your solution require a private key?

 

Nevermind, I figured it out. For the ignorant (like myself) the agent needs a private key to do Diffie–Hellman key exchange (the colored buckets are quite illustrative). Since the GitHub CI agent is attempting to authenticate against a remote private repository, it needs the private and public keys - private from the DEPLOY_KEY variable and the public key presumably from your github account - to do the key comparison.

 

Would love to have a better understanding of it, so if I'm wrong anywhere please let me know.

Highlighted
Pilot Lvl 1
Message 6 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

Highlighted
Copilot Lvl 2
Message 7 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

This is what worked for me:

- run: |
    mkdir ~/.ssh
    echo "${{ secrets.SECRET_PRIVATE_DEPLOY_KEY }}" > ~/.ssh/id_rsa
    chmod 600 ~/.ssh/id_rsa

 

Additionally you can add the domain name from which you are pulling the repository to know hosts:

ssh-keyscan -t rsa github.com

 

Highlighted
Ground Controller Lvl 1
Message 8 of 8

Re: Github Actions: CI - how to use/store deploy key to download from another private repo?

thx @martinsbalodis your solution finally solved it. Ignoring the dedicated "env:" section solves it - classic somehow :)