Skip to content

ci(release): drop broken SSH deploy key, use GITHUB_TOKEN#120

Merged
antosubash merged 1 commit intomainfrom
feature/jovial-khorana-8bb247
Apr 23, 2026
Merged

ci(release): drop broken SSH deploy key, use GITHUB_TOKEN#120
antosubash merged 1 commit intomainfrom
feature/jovial-khorana-8bb247

Conversation

@antosubash
Copy link
Copy Markdown
Owner

@antosubash antosubash commented Apr 23, 2026

Summary

  • Remove ssh-key: \${{ secrets.DEPLOY_KEY }} from the release workflow's checkout step and rely on GITHUB_TOKEN via persist-credentials: true.

Why

Every run of release.yml currently fails at the very first step:

Load key "...": error in libcrypto
git@github.com: Permission denied (publickey).

The DEPLOY_KEY secret is no longer a parseable OpenSSH private key (likely CRLF corruption or a stale value), so actions/checkout@v6 can't authenticate over SSH.

The job already declares permissions: contents: write, which grants the default GITHUB_TOKEN enough authority to push the version bump commit and tag back to `main`. Dropping the SSH input unblocks the workflow without adding new secrets.

Reviewer notes / caveats

  • If `main` has a branch protection rule that forbids `github-actions[bot]` pushes, the `git push origin main` step will 403 and we'll need to switch back to a deploy-key (or PAT) flow — regenerating the secret with correct line endings.
  • `GITHUB_TOKEN`-driven pushes do not trigger other workflows. If any downstream workflow is expected to fire on the release commit, that will need a separate mechanism (e.g. `workflow_dispatch` via `gh workflow run`).

Test plan

  • Run the `release` workflow with `bump: patch` and confirm checkout, version bump, push, tag, and GitHub Release creation all succeed.
  • Verify the `publish-nuget` and follow-up jobs still run off the newly created tag.

@antosubash
ci(release): drop broken SSH deploy key in favor of GITHUB_TOKEN
dbffe28 
The checkout step passed ssh-key: ${{ secrets.DEPLOY_KEY }}, but the
secret's contents are no longer a valid OpenSSH private key, causing
every release run to fail at checkout with "error in libcrypto" and
"Permission denied (publickey)".

The job already declares contents: write, so GITHUB_TOKEN has the
permission it needs to push the version bump and tag. Remove the
ssh-key input and rely on persist-credentials so the default token
handles the push.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 23, 2026

Deploying simplemodule-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: dbffe28
Status: ✅  Deploy successful!
Preview URL: https://d9c73fb5.simplemodule-website.pages.dev
Branch Preview URL: https://feature-jovial-khorana-8bb24.simplemodule-website.pages.dev

View logs

@antosubash antosubash merged commit 490ca61 into main Apr 23, 2026
5 checks passed
@antosubash antosubash deleted the feature/jovial-khorana-8bb247 branch April 23, 2026 15:12
antosubash added a commit that referenced this pull request Apr 23, 2026
@antosubash
Revert "ci(release): drop broken SSH deploy key in favor of GITHUB_TO…
98a0e9c 
…KEN (#120)"

This reverts commit 490ca61.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antosubash