Skip to content
play

GitHub Action

maroontress/deploy-keys

v1.0.1 Latest version

maroontress/deploy-keys

play

maroontress/deploy-keys

Configure the Git and SSH with the specified GitHub Deploy Keys to access other private repositories

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: maroontress/deploy-keys

              
  uses: maroontress/deploy-keys@v1.0.1
Learn more about this action in maroontress/deploy-keys

Choose a version

Deploy Keys action

This action modifies the Git and SSH configuration with the specified GitHub deploy keys to access other private repositories on the GitHub-hosted Windows, Linux, and macOS runners.

Note that this action does not use ssh-agent.

Inputs

keys

Required Deploy keys of other private repositories.

To create a deploy key available for this action, you need to embed the SSH URL of the repository into the key comment. For instance, if the SSH URL of the repository is git@github.com:foo/bar.git, you can create the deploy key using the following command: ssh-keygen … -C 'git@github.com:foo/bar.git'.

Example usage

    steps:
    - name: Setting up deploy keys
      uses: maroontress/deploy-keys@v1
      with:
        keys: |
          ${{ secret.BAR_DEPLOY_KEY }}
          ${{ secret.BAZ_DEPLOY_KEY }}
    - name: Clone the private repositories
      shell: bash
      run: |
        git clone --depth 1 git@github.com:foo/bar.git
        git clone --depth 1 git@github.com:foo/baz.git

Please use a full-length commit SHA instead of the tag like v1. For a more realistic example, see here.

How it works

This action assigns a unique fake hostname to each repository in the Git layer, converts the fake hostname to github.com in the SSH layer, and associates the fake host with the SSH key of the corresponding repository.

1. git config

This action modifies the ~/.gitconfig file by executing git config with url.<base>.instantOf variables for each deploy key. After running this action, you can check the configuration with git config --global --list, which prints as follows:

url.git@fake0.github.com:foo/bar.insteadof=git@github.com:foo/bar
url.git@fake1.github.com:foo/baz.insteadof=git@github.com:foo/baz

2. ~/.ssh/config and ~/.ssh/known_hosts

This action overwrites ~/.ssh/config. After running this action, the content of ~/.ssh/config will be as follows:

Host fake0.github.com
  HostName github.com
  IdentityFile C:\Users\runneradmin\.ssh\fake0.github.com
  IdentitiesOnly yes

Host fake1.github.com
  HostName github.com
  IdentityFile C:\Users\runneradmin\.ssh\fake1.github.com
  IdentitiesOnly yes

The path of IdentityFile will vary depending on the platform (the above example is on the Windows runner).

This action also creates ~/.ssh/known_hosts containing the SSH public key of github.com.

3. SSH private keys in ~/.ssh

This action creates ~/.ssh/fakeN.github.com (N = 0, 1, …) files to save the deploy keys (i.e., the SSH private keys). These files are referenced by the IdentityFile entries in ~/.ssh/config.

Remarks

Don't use this action on the persistent self-hosted runners.

For serious use of this action, to mitigate the security risks, you should:

It is also advisable to audit the source code of this action before use.

Build

See Commit, tag, and push your action to GitHub — Creating a JavaScript action.

sudo npm i -g @vercel/ncc
ncc build index.js --license licenses.txt

Lint

npx eslint index.js