Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSH key not available in container actions #297

Open
frigus02 opened this issue Jul 8, 2020 · 4 comments
Open

SSH key not available in container actions #297

frigus02 opened this issue Jul 8, 2020 · 4 comments
Labels
bug Something isn't working

Comments

@frigus02
Copy link

frigus02 commented Jul 8, 2020

An SSH key specified with ssh-key does not seem to be available in container actions (actions running Docker containers).

Steps to reproduce

Setup a workflow like this:

name: ssh-key-container-action-test
on: [push]
jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          repository: frigus02/my-repo
          path: my-repo
          ssh-key: ${{ secrets.DEPLOY_KEY }}
      - uses: stefanprodan/kube-tools@v1
        with:
          command: |
            cd $GITHUB_WORKSPACE/my-repo
            echo "hello" >world.txt
            git commit -am "hello"
            git push

You will get an error like this:

Warning: Identity file /home/runner/work/_temp/fef9d352-63de-413a-8fc0-6d439e3d354f not accessible: No such file or directory.
No RSA host key is known for github.com and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Error analysis

I assume that the actual action stefanprodan/kube-tools@v1 doesn't matter. The reason seems to be that it runs in a Docker container. The command that the action runs is (line breaks added for readability):

/usr/bin/docker run --name stefanprodankubetoolsv150_3ec838 --label 3888d3 --workdir /github/workspace --rm \
  -e DOCKER_CONFIG -e TAG -e DIGEST -e INPUT_KUSTOMIZE -e INPUT_COMMAND -e INPUT_KUBECTL -e INPUT_HELM -e INPUT_HELMV3 \
  -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH \
  -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE \
  -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true \
  -v "/var/run/docker.sock":"/var/run/docker.sock" \
  -v "/home/runner/work/_temp/_github_home":"/github/home" \
  -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
  -v "/home/runner/work/my-repo/my-repo":"/github/workspace" \
  stefanprodan/kube-tools:v1.5.0  "cd $GITHUB_WORKSPACE/my-repo
echo "hello" >world.txt
git commit -am "hello"
git push
" "" "" "" ""

The checkout action logged earlier in the build:

Temporarily overriding GIT_SSH_COMMAND="/usr/bin/ssh" -i "$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f_known_hosts"

I also logged the $RUNNER_TEMP variable and found that it points to /home/runner/work/_temp. This directoy is not mounted in the Docker container, which makes me think that all container actions will have this problem.

Side note: authenticating with a personal access token and the token option works fine, also later on in container actions.

@ericsciple
Copy link
Contributor

@TingluoHuang do you see any reason why RUNNER_TEMP shouldn't be mounted into a container action? I think that's the correct solution to fix this bug. Thoughts?

@frigus02
Copy link
Author

frigus02 commented Jul 13, 2020

I created a minimal example to reproduce the problem and for me to understand it better: https://github.com/frigus02/test-github-container-action-ssh-key. The latest build failed with the above error message.

The problem is not the GIT_SSH_COMMAND environment variable. It's not available in container actions. I think the checkout action sets core.sshCommand in the local git config. When I access a git remote in a container action, it will try to use the provided command. However the specified SSH key does not exist, because it's not mounted.

I realize now that this might be quite a rare issue. It requires you to use an SSH key, a container action with the necessary tools installed (git, ssh) and then access a git remote in the action.

I should probably re-frame this issue as a feature request. It would be amazing if SSH keys would "just work" in container actions 🙂.

@ericsciple ericsciple added the bug Something isn't working label Jul 13, 2020
@rtizzy
Copy link

rtizzy commented Oct 16, 2024

@ericsciple Is there any chance of this being fixed?

I ran into this recently while trying to leverage an action that utilizes a container, leading to much head scratching.

As @frigus02 notes, the SSH command var is properly updated but the contents of that directory are not mounted in containers.

Example code that will fail.

name: Generate terraform docs
on:
  push:
    branches:
      - master
jobs:
  docs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        ref: master
        ssh-key: ${{secrets.DEPLOY_KEY}}
    - name: Render terraform docs inside the README.md and push changes back to PR branch
      uses: terraform-docs/gh-actions@v1.0.0
      with:
        find-dir: ./
        #output-file: README.md
        #output-method: inject
        git-push: "true"

The upstream for this can be found at

https://github.com/terraform-docs/gh-actions/blob/main/action.yml

As far as I can tell, there is no way for me to mount the directory in question into a Docker container via an action.yml.

I don't see how this is resolvable for end users without Github's intervention.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants
@rtizzy @frigus02 @ericsciple and others