mirror of https://github.com/shimataro/ssh-key-action.git synced 2025-06-19 22:52:10 +10:00

GitHub Action that installs SSH key to .ssh https://github.com/marketplace/actions/install-ssh-key

Find a file

shimataro a988908393 Feature/ignore node modules (#166 ) * Ignore Node files that should not be tracked The list can be fetched by `gibo dump node`. * Untrack node_modules/@actions * Cache node_modules * Don't add node_modules ins Bash scripts * Use ncc to pack dependencies * Change final product path Remove & ignore previous one (lib/main.js{,.map}) * Disable PR check using author's key Author's key is not passed to PR builds (#164) * update settings * update CHANGELOG * update build.yml Co-authored-by: Tatsunori Uchino <tats.u@live.jp>		2021-02-08 22:19:05 +09:00
.github	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
lib	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
scripts	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
src	append LF (#151 )	2020-08-15 10:31:03 +09:00
.editorconfig	* add .editorconfig (#4 )	2019-09-18 22:53:46 +09:00
.eslintrc.yml	* update keyword-spacing (#121 )	2020-02-26 09:08:08 +09:00
.gitignore	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
.markdownlint.yml	* add ol-prefix rule (#119 )	2020-02-25 18:35:42 +09:00
.npmrc	Feature/dependencies (#16 )	2019-09-22 08:29:38 +09:00
action.yml	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
CHANGELOG.md	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
LICENSE	Initial commit	2019-09-18 20:10:02 +09:00
package-lock.json	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
package.json	Feature/ignore node modules (#166 )	2021-02-08 22:19:05 +09:00
README.md	Feature/fix readme (#167 )	2021-02-08 21:40:22 +09:00
ssh-key-action.code-workspace	Feature/vscode (#5 )	2019-09-18 22:54:17 +09:00
tsconfig.json	* first action! (#1 )	2019-09-18 20:39:54 +09:00

README.md

Install SSH Key

This action installs SSH key in ~/.ssh.

Useful for SCP, SFTP, and rsync over SSH in deployment script.

Works on all virtual environments -- Windows Server 2019, macOS Catalina, Ubuntu 20.04, Ubuntu 18.04, and Ubuntu 16.04.

Usage

Add your SSH key to your product secrets by clicking Settings - Secrets - Add a new secret beforehand.

NOTE: OPENSSH format (key begins with -----BEGIN OPENSSH PRIVATE KEY-----) may not work due to OpenSSH version on VM. Please use PEM format (begins with -----BEGIN RSA PRIVATE KEY-----) instead. In order to convert your key inline to PEM format simply use ssh-keygen -p -m PEM -f ~/.ssh/id_rsa.

runs-on: ubuntu-latest
steps:
- name: Install SSH key
  uses: shimataro/ssh-key-action@v2
  with:
    key: ${{ secrets.SSH_KEY }}
    name: id_rsa # optional
    known_hosts: ${{ secrets.KNOWN_HOSTS }}
    config: ${{ secrets.CONFIG }} # ssh_config; optional
- name: rsync over ssh
  run: rsync ./foo/ user@remote:bar/

See Workflow syntax for GitHub Actions for details.

Install multiple keys

If you want to install multiple keys, call this action multiple times. It is useful for port forwarding.

NOTE: When this action is called multiple times, the contents of known_hosts and config will be appended. key must be saved as different name, by using name option.

runs-on: ubuntu-latest
steps:
- name: Install SSH key of bastion
  uses: shimataro/ssh-key-action@v2
  with:
    key: ${{ secrets.SSH_KEY_OF_BASTION }}
    name: id_rsa-bastion
    known_hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}
    config: |
      Host bastion
        HostName xxx.xxx.xxx.xxx
        User user-of-bastion
        IdentityFile ~/.ssh/id_rsa-bastion
- name: Install SSH key of target
  uses: shimataro/ssh-key-action@v2
  with:
    key: ${{ secrets.SSH_KEY_OF_TARGET }}
    name: id_rsa-target
    known_hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }} # will be appended to existing .ssh/known_hosts
    config: |                                         # will be appended to existing .ssh/config
      Host target
        HostName yyy.yyy.yyy.yyy
        User user-of-target
        IdentityFile ~/.ssh/id_rsa-target
        ProxyCommand ssh -W %h:%p bastion
- name: SCP via port-forwarding
  run: scp ./foo/ target:bar/

Q&A

SSH failed even though key has been installed.

Check below:

Load key "/HOME/.ssh/id_rsa": invalid format:
- OPENSSH format (key begins with -----BEGIN OPENSSH PRIVATE KEY-----) may not work.
- Use PEM format (begins with -----BEGIN RSA PRIVATE KEY-----). Convert it from OPENSSH format using ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
Host key verification failed.:
- Set known_hosts parameter correctly (use ssh-keyscan command).

How do I use encrypted SSH key?

This action doesn't support encrypted key directly. Here are some solutions:

decrypting key beforehand: best bet, and works on any VM
sshpass command: next best bet, but not supported on Windows
expect command: be careful not to expose passphrase to console
SSH_ASKPASS environment variable: might be troublesome

Which one is the best way for transferring files, "direct SCP/SFTP/rsync" or "SCP/SFTP/rsync via bastion"?

I recommend rsync via bastion.

rsync -e "ssh bastion ssh" ./foo/ target:bar/

It has some advantages over other methods:

"Rsync via bastion" doesn't require to update workflow files and secrets even if it is necessary to transfer files to multiple servers.
- Other methods require to update known_hosts if servers have changed.
Rsync:
- is fastest of all.
- does NOT break files even if disconnected during transferring.
- can remove files that don't exist on server.
SCP is deprecated by OpenSSH due to outdated and inflexible protocol.
Using bastion is more secure because:
- it is not necessarily to expose SSH port on servers to public.
  - Address filtering is less effective.
  - Because Azure address range is very wide.
  - And will be updated continuously.
- if security incident ―e.g., private key leaked― occurs, it's OK just to remove authorized_keys on bastion.

License

The scripts and documentation in this project are released under the MIT License

Changelog

See CHANGELOG.md.