Using deploy keys on GitHub Actions
Some of the tools you are using in GitHub Workflows might require access to private repositories. One of the examples might be the Fastlane Match. While it is easy to use a personal token on GitHub, deploy keys give you more fine-grained control over permissions.
In this example, we will store our private SSH key in an encrypted form in the repository, to later on decrypt it and add it to the SSH agent. Let’s generate it first:
|
1 2 3 4 |
$ ssh-keygen -t rsa -b 4096 -f .github/workflows/secrets/id_rsa -C "ios-provisioning@eclipsesource.com" -N "" $ # generate encryption password we will use in OpenSSL $ export ENCRYPTION_KEY $(pwgen 32 1) $ openssl aes-256-cbc -in .github/workflows/secrets/id_rsa -out .github/workflows/secrets/id_rsa.enc -pass pass:$ENCRYPTION_KEY -e -md sha1 |
Read the password you generated and set it as a secret in your project settings.
|
1 |
echo $ENCRYPTION_KEY |
In the workflow YAML file, first, we need to check out the repository with an encrypted private SSH key, decrypt it, and then set up the SSH agent (with the key).
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
name: Deploy Key test on: push: jobs: main: runs-on: ubuntu-latest name: Access private repo steps: - name: Checkout secrets uses: actions/checkout@v2 - name: Decrypt secrets env: ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} run: | openssl aes-256-cbc -in .github/workflows/secrets/id_rsa.enc -out .github/workflows/secrets/id_rsa -pass pass:$ENCRYPTION_KEY -d -md sha1 - name: Setup SSH agent env: SSH_AUTH_SOCK: /tmp/ssh_agent.sock run: | mkdir -p ~/.ssh ssh-keyscan github.com >> ~/.ssh/known_hosts ssh-agent -a $SSH_AUTH_SOCK > /dev/null chmod 0600 .github/workflows/secrets/id_rsa ssh-add .github/workflows/secrets/id_rsa - name: Checkout env: SSH_AUTH_SOCK: /tmp/ssh_agent.sock run: git clone git@github.com:eclipsesource/ios-provisioning.git - name: Cleanup if: always() env: SSH_AUTH_SOCK: /tmp/ssh_agent.sock run: | ssh-add -D rm -Rf * |
In the same way, as we run git clone command in the “Checkout” step, you can use any other tool (which supports the SSH agent) to access your private repository. We’re using this with Fastlane Match in our Hello World app build workflow.
Remember that whenever you use the SSH agent, its socket has to be exposed via the SSH_AUTH_SOCK environment variable. You can see that we do this when setting up the SSH agent in the “Checkout” step, as well as when cleaning up identities in the “Cleanup” step.
This setup is not the simplest one. However, in return for the work you will do to implement it, you will get two benefits: greater choice of tools you can use in your workflows, and fine control over permissions you give them when accessing private repositories.
Feedback is welcome!
Want to join the discussion?Feel free to contribute!
