Is it possible to pass ssh key to git/ssh agent as a cli parameter?

Question

I'm setting up a CD workflow via GitHub Actions and tutorials like this suggest that I have to

1. create a user (done)
2. (for GH action to access server) generate a key pair, save public key to user's ~/.ssh/authorized_keys (or ~/.ssh/authorized_keys2) and private key to github secret to be used in action (done, note that private key can be only on github as secret, so access is safe)
3. (to pull code from GH to server) generate another key pair, keep private key in the user's folder (like ~/.ssh/id_rsa) and put public key to GH as a deploy key

I wonder if I can modify 3.: can I store both public and private key on GH, and pass private key from a GH secret to bash to do the pull? This way, it'll be tighter security, quicker setup on a new server and even quicker migration/setup of multiple projects.

Haven't found anything on this yet, although I may search using wrong keywords...

Answer 1

Can I store both public and private key on GH

First, storing the private key alone would be enough: you can generate the public key from the private one.

Second, if you pass a private key, make sure you GH action removes it from the server once said action is completed.
That way, said private key is only used when needed, and does not remain on the server.

Since your GH Action has access through its own SSH key to the server, it can:

• write the content of its secret to a 'key2' file, as shown here
• scp that key2 file to the server
• execute through ssh the rm key2 command to remove the file at the completion of the action: ssh -i /path/to/private/key1 'rm /remote/path/to/key2'.