CODEWITHSUNDEEP
githubgithub-actions
chilly_maximus
chilly_maximus

Reputation: 772

Pull deploy, github actions and ssh keys

Let's say, I want to setup my deploy process using GitHub actions, and pull strategy.

So I have an Ubuntu server, I copy public ssh key of the server, add it to my GitHub account, and then I can clone from Ubuntu server, build and run the app.

That is great, but I feel here is small trap.
Keys are added to account, not to the repo.

What happen if I will leave the organization that is owner of repository?
Server will lost ability to do proper CI, right?

The organization owner could create account that is holder of SSH keys and will never leave organization, but what if repository ownership is transferred?
I probably miss something here, but why not allow adding keys directly to repository, not to user account?
Or this option is there and I missed it somehow?

Upvotes: 4

Views: 9280

Answers (1)

VonC
VonC

Reputation: 1323793

Keys are added to account, not to the repository.

That is why you have deploy keys, per repository.

https://docs.github.com/assets/cb-44521/images/add-deploy-key.png

A GitHub Action like webfactory/ssh-agent for instance does have support for Deploy keys.

To support picking the right key in this use case, this action scans key comments and will set up extra Git and SSH configuration to make things work.

  • When creating the deploy key for a repository like [email protected]:owner/repo.git or https://github.com/owner/repo, put that URL into the key comment. (Hint: Try ssh-keygen ... -C "[email protected]:owner/repo.git".)
  • After keys have been added to the agent, this action will scan the key comments.
  • For key comments containing such URLs, a Git config setting is written that uses url.<base>.insteadof. It will redirect git requests to URLs starting with either https://github.com/owner/repo or [email protected]:owner/repo to a fake hostname/URL like [email protected]...:owner/repo.
  • An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to github.com, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.

You get then a GitHub Action configuration like this example:

name: Deploy
on:
push:
 tags:
   - 'GA*'
# ...
- name: Install SSH Client 🔑
  uses: webfactory/[email protected]
  with:
    ssh-private-key: ${{ secrets.DEPLOY_KEY }}

- name: Deploy 🚀
  uses: JamesIves/[email protected]
  with:
    BASE_BRANCH: master
    BRANCH: gh-pages
    CLEAN: true
    FOLDER: .
    SSH: true
# ...

In command line, since GitHub CLI gh 2.5.0 (Feb. 2022): gh repo deploy_key

gh repo deploy-key add <key-file> [flags]

# generate a passwordless SSH key and add it as a deploy key to a repository
$ ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/gh-test
$ gh repo deploy-key add ~/.ssh/gh-test.pub

See issue 4242 from context.

Upvotes: 6

Related Questions