Github Actions: xcodebuild fails due to server fingerprint

Question

I am trying to build a macOS app with Github Actions. This already worked very well, until I migrated my dependencies to Swift Package Manager. Now I am getting the following error while building my app:

xcodebuild: error: Could not resolve package dependencies: The server SSH fingerprint failed to verify.

I have a private GitHub repository as a dependeny in my application added as a Swift Package using a ssh location. Therefore I need to add my ssh key for the dependency in the Set up ssh-agent step. Manually cloning the repository in a step using git clone is working fine but I need to get it work with xcodebuild in order to successfully build my app.

Workflow file

name: Main
on:
  push:
    tags:
      - 'v*.*.*'

jobs:
  build:
    name: Release
    runs-on: macOS-latest
    steps:
      - name: Checkout
        uses: actions/checkout@master
        with:
          fetch-depth: 1
      - name: Set up ssh-agent
        uses: yakuhzi/action-ssh-agent@v1
        with:
          public: ${{ secrets.SSH_PUBLIC_KEY }}
          private: ${{ secrets.SSH_PRIVATE_KEY }}
      - name: Build application
        run: |
          sudo xcode-select -switch /Applications/Xcode_11.app
          xcodebuild -project Application.xcodeproj -scheme Application -configuration Release -derivedDataPath $HOME/Application build

Answer 1

In Xcode 13 it is easy - you simply click on the error and an alert appears asking do you trust the server

Answer 2

If you're looking for something specific to GitHub actions, I updated the answer by @rob-caraway to match GitHub's syntax. I found the following step, inserted before attempting to build works for me:

    - name: Trust the GitHub SSH keys
      run: |
        for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

Answer 3

For CircleCI:

Adding onto Yakuhzi's answer, here's what the step looks like in Circle Ci's yaml file:

- run:
    name: Enable SSH
    command: |
       for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

Answer 4

try adding a Github Token as secret and use it in the checkout step:

build:
    runs-on: macOS-latest
    steps:
    - uses: actions/checkout@v2.3.3
      with: 
        token:  ${{ secrets.YOUR_CI_ACCOUNT_TOKEN }}

or add your SSH private key as secret and use it:

build:
    runs-on: macOS-latest
    steps:
    - uses: actions/checkout@v2.3.3
      with: 
        ssh-key:  ${{ secrets.YOUR_CI_ACCOUNT_SSH_KEY }}

Answer 5

TS asked for a problem with dependency on private repository, but just in case there're some people who ran into this problem for a public repository dependency, make sure that you're using HTTPS instead of SSH for that dependency repository address.

Example:

https://github.com/Alamofire/Alamofire.git

instead of

git@github.com:Alamofire/Alamofire.git

Answer 6

Open the project on the machine that does the building. Go to the Workspace logs. Double click on the red log entry that says the package failed to validate. Now you get a window that asks you to trust the host. Trust it, and you're good to go.

Edit: I was wrong. While it does trust the host and you can open & run the project on the CI machine, the CI process still fails...

Answer 7

Finally I figured it out. It seems like its a known issue in Xcode 11 (https://developer.apple.com/documentation/xcode_release_notes/xcode_11_release_notes).

Thanks to Dosium in this post (https://discuss.bitrise.io/t/xcode-11-resolving-packages-fails-with-ssh-fingerprint/10388), I was able to get it work.

The solution is to run the following command before running xcodebuild: for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts