Container builds: SSH clones are broken; action does not populate `~/.ssh/known_hosts` properly

[MOZGIII]

Problem

When running in containers, the SSH clones are currently completely broken. Nobody noticed so far, because the default cloning mode is HTTPS, not SSH. Cloning via SSH in a container is a rare combo I guess.

The issue has to do with the ~/.ssh/known_hosts file - or lack thereof. The action is supposed to populate the ~/.ssh/known_hosts with SSH host keys for Github - but this is, somehow, not happening.

I suspect the issue is that action/checkout does this:

checkout/src/git-auth-helper.ts

Lines 119 to 121 in 85e6279

	core.info(
	`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
	)

This code changes the HOME directory to a temporary one, and that new HOME is used for git invocations. The actions, however, doesn't copy the contents of the old HOME/.ssh to the newly created dir.

This logic seems to be called after the ~/.ssh/known_hosts file is populated, so the file is never actually used.

What makes things even worse is that the action uses a random directory name for the new HOME - so we can't even pre-populate it with a fixed data.

Solution

I propose the following plan:

1. Add an input to enable copying user-specified files into that new HOME dir.
2. Copy the .ssh from the real HOME to temp HOME by default.
3. Consider ways to eliminate touching the HOME in the first place, or to provide an opt-out from it.
4. Implement automatic tests for cloning SSH in containers. The fact that this major feature is broken is not normal. Github Actions were not born yesterday, the investment into proper QA tooling is long overdue.

Workaround

For now, I've found a workaround that fits our use-case: manually write the /etc/ssh/ssh_known_hosts.

    - name: Add github.com ssh host keys
      shell: bash
      run: |
        set -euo pipefail

        KNOWN_HOSTS_FILE="/etc/ssh/ssh_known_hosts"

        with_sudo() {
          if command -v sudo >/dev/null; then
            sudo "$@"
          else
            "$@"
          fi
        }

        with_sudo mkdir -p -m 0755 "$(dirname "$KNOWN_HOSTS_FILE")"
        with_sudo tee "$KNOWN_HOSTS_FILE" <<EOF
        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
        EOF
        with_sudo chmod 644 "$KNOWN_HOSTS_FILE"