Github host key should be updated ?

[andreaslohre]

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

[na-jakobs]

Yup, hosts keys need to be updated right away :-| in the ssh-agent extension @mpdude

[mpdude]

We have another issue (#108) with regards to host keys: On self-hosted runners which are not ephemeral the known_host file fills up with repeated entries, because every action run adds a new line with the same host keys.

Also, on those machines, the old key will still be in the known_hosts file.

IMHO this action should not be repsonsible for shipping SSH host keys, that's too much responsibility 😄 .

This section in the code is a leftover from early days when GitHub provided runners did not include SSH keys at all. For a long time already, GH takes care of placing their SSH keys in their runner images.

For self-hosted runners, those people setting up the runner should fetch and verify SSH keys themselves and put it into the known_hosts file.

I know this is a breaking change and is going to annoy users. But on the other hand, there is no better opportunity to drop this feature than with an emergency-style key revocation as today.