A GitHub Action that enables the use of one or more deploy keys in order to access other private repositories. This action is based on webfactory/ssh-agent but has been modified to just handle deploy keys.
This modified action will take care of:
- Starting the ssh-agent
- Adding the provided keys to the agent
- Adding an alias entry in the ssh config for each deploy key provided. The entry specifies which deploy key should be used for each host.
- Adding
insteadOfrules in the git config. These rules will rewrite git urls it encounters for the provided org/repo and point to the applicable alias entry that was added to the ssh config. This will ensure it uses the right deploy key when interacting with different private repositories.
These entries and insteadOf rules are necessary when using multiple deploy keys because of the way GitHub handles requests. From webfactory/ssh-agent:
When using Github deploy keys, GitHub servers will accept the first known key. But since deploy keys are scoped to a single repository, this might not be the key needed to access a particular repository. Thus, you will get the error message fatal: "Could not read from remote repository. Please make sure you have the correct access rights and the repository exists" if the wrong key/repository combination is tried.
More details on context, usage, troubleshooting or known issues and limitations can be found on the original repository webfactory/ssh-agent.
| Parameter | Is Required | Description |
|---|---|---|
deploy-key-info |
true | An array of deploy key info objects that contain the org/repo that the deploy key is intended for as well as the name of the environment variable that contains the private key's value. |
This action has two outputs which can be used by the workflows but are generally reserved for testing.
| Output | Description |
|---|---|
validation-error |
A string with a short description of a validation error that occurred. Generally used for testing but can be used programmatically to detect which types of validation errors the action is encountering. |
key-filename |
The name of the file where the key was written to disk. Generally used for testing because the output only reflects the last key that was processed. |
The validation-error output will only contain one validation error at a time. If multiple keys or multiple error conditions exist, this output cannot reliably indicate those conditions. The output was designed to be used for testing specific error conditions and may not be suitable for regular production use.
-
argument-parsing- This occurs when there is an error JSON parsing thedeploy-key-infoargument. It should be a string containing a parseable JSON array of objects that contain two arguments:[ # orgAndRepo should contain the organization/repository that the deploy key is being setup for. # envName is the name of an environment variable that contains the private key for accessing # the orgAndRepo. It is not the value of the actual environment variable. { orgAndRepo: 'im-open/repo-1', envName: 'NAME_OF_ENV_WITH_PRIVATE_KEY_1'}, { orgAndRepo: 'im-open/repo-2', envName: 'NAME_OF_ENV_WITH_PRIVATE_KEY_2'} ]
-
empty-keys- Thedeploy-key-infoargument was an empty array. -
missing-orgAndRepo- One of the provided deploy keys is missing theorgAndRepoargument. -
missing-envName- One of the provided deploy keys is missing theenvNameargument. -
unpopulated-env-var- One of the environment variables provided as anenvNamehas not been populated.
name: Map project versions
on: workflow_dispatch
env:
# These ENV variables contain the value of the private key
# They can be set at the workflow, job or step level
SSH_KEY_CENTRAL_LOGGING: ${{secrets.SSH_CENTRAL_LOGGING}}
SSH_KEY_STORAGE_ACCOUNT: ${{secrets.SSH_STORAGE_ACCOUNT}}
SSH_KEY_ON_PREM_EGRESS: ${{secrets.SSH_ON_PREM_EGRESS}}
jobs:
deploy-terraform:
runs-on: ubuntu-20.04
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Setup deploy keys for use with Terraform
# You may also reference just the major or major.minor version
uses: im-open/setup-deploy-keys@v1.2.0
with:
deploy-key-info: |
[
{ "orgAndRepo": "im-platform/central-logging", "envName" : "SSH_KEY_CENTRAL_LOGGING" },
{ "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" },
{ "orgAndRepo": "im-platform/on-prem-egress-ips", "envName" : "SSH_KEY_ON_PREM_EGRESS" }
]
- name: Setup Terraform
id: setup
uses: hashicorp/setup-terraform@v1.2.1
with:
terraform_version: ~>0.15.0
- name: Terraform Init
id: init
run: terraform initWhen creating PRs, please review the following guidelines:
- The action code does not contain sensitive information.
- At least one of the commit messages contains the appropriate
+semver:keywords listed under Incrementing the Version for major and minor increments. - The action has been recompiled. See Recompiling Manually for details.
- The README.md has been updated with the latest version of the action. See Updating the README.md for details.
- Any tests in the build-and-review-pr workflow are passing
This repo uses git-version-lite in its workflows to examine commit messages to determine whether to perform a major, minor or patch increment on merge if source code changes have been made. The following table provides the fragment that should be included in a commit message to active different increment strategies.
| Increment Type | Commit Message Fragment |
|---|---|
| major | +semver:breaking |
| major | +semver:major |
| minor | +semver:feature |
| minor | +semver:minor |
| patch | default increment type, no comment needed |
The files and directories that are considered source code are listed in the files-with-code and dirs-with-code arguments in both the build-and-review-pr and increment-version-on-merge workflows.
If a PR contains source code changes, the README.md should be updated with the latest action version and the action should be recompiled. The build-and-review-pr workflow will ensure these steps are performed when they are required. The workflow will provide instructions for completing these steps if the PR Author does not initially complete them.
If a PR consists solely of non-source code changes like changes to the README.md or workflows under ./.github/workflows, version updates and recompiles do not need to be performed.
This command utilizes esbuild to bundle the action and its dependencies into a single file located in the dist folder. If changes are made to the action's source code, the action must be recompiled by running the following command:
# Installs dependencies and bundles the code
npm run buildIf changes are made to the action's source code, the usage examples section of this file should be updated with the next version of the action. Each instance of this action should be updated. This helps users know what the latest tag is without having to navigate to the Tags page of the repository. See Incrementing the Version for details on how to determine what the next version will be or consult the first workflow run for the PR which will also calculate the next version.
The build-and-review-pr workflow includes tests which are linked to a status check. That status check needs to succeed before a PR is merged to the default branch. When a PR comes from a branch, the workflow has access to secrets which are required to run the tests successfully.
When a PR comes from a fork, the workflow cannot access any secrets, so the tests won't have the necessary permissions to run. When a PR comes from a fork, the changes should be reviewed, then merged into an intermediate branch by repository owners so tests can be run against the PR changes. Once the tests have passed, changes can be merged into the default branch.
This project has adopted the im-open's Code of Conduct.
Copyright © 2023, Extend Health, LLC. Code released under the MIT license.