Using deploy keys on GitHub Actions

Some of the tools you are using in GitHub Workflows might require access to private repositories. One of the examples might be the Fastlane Match. While it is easy to use a personal token on GitHub, deploy keys give you more fine-grained control over permissions.

In this example, we will store our private SSH key in an encrypted form in the repository, to later on decrypt it and add it to the SSH agent. Let’s generate it first:

Read the password you generated and set it as a secret in your project settings.

In the workflow YAML file, first, we need to check out the repository with an encrypted private SSH key, decrypt it, and then set up the SSH agent (with the key).

In the same way, as we run git clone command in the “Checkout” step, you can use any other tool (which supports the SSH agent) to access your private repository. We’re using this with Fastlane Match in our Hello World app build workflow.

Remember that whenever you use the SSH agent, its socket has to be exposed via the SSH_AUTH_SOCK environment variable. You can see that we do this when setting up the SSH agent in the “Checkout” step, as well as when cleaning up identities in the “Cleanup” step.

This setup is not the simplest one. However, in return for the work you will do to implement it, you will get two benefits: greater choice of tools you can use in your workflows, and fine control over permissions you give them when accessing private repositories.