ssh-agent-action/index.js

const core = require('@actions/core');
const child_process = require('child_process');
const fs = require('fs');
const crypto = require('crypto');
const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = require('./paths.js');

try {
    const privateKey = core.getInput('ssh-private-key');
    const logPublicKey = core.getBooleanInput('log-public-key', {default: true});

    const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
    const sshAddCmdInput = core.getInput('ssh-add-cmd');
    const gitCmdInput = core.getInput('git-cmd');

    const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault;
    const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault;
    const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault;

    if (!privateKey) {
        core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");

        return;
    }

    const homeSsh = homePath + '/.ssh';
    fs.mkdirSync(homeSsh, { recursive: true });

    console.log("Starting ssh-agent");

    const authSock = core.getInput('ssh-auth-sock');
    const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];

    // Extract auth socket path and agent pid and set them as job variables
    child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
        const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);

        if (matches && matches.length > 0) {
            // This will also set process.env accordingly, so changes take effect for this script
            core.exportVariable(matches[1], matches[2])
            console.log(`${matches[1]}=${matches[2]}`);
        }
    });

    console.log("Adding private key(s) to agent");

    privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
        child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
    });

    console.log("Key(s) added:");

    child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });

    console.log('Configuring deployment key(s)');

    child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
        const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);

        if (!parts) {
            if (logPublicKey) {
              console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
            }
            return;
        }

        const sha256 = crypto.createHash('sha256').update(key).digest('hex');
        const ownerAndRepo = parts[1].replace(/\.git$/, '');

        fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });

        child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);

        const sshConfig = `\nHost key-${sha256}.github.com\n`
                              + `    HostName github.com\n`
                              + `    IdentityFile ${homeSsh}/key-${sha256}\n`
                              + `    IdentitiesOnly yes\n`;

        fs.appendFileSync(`${homeSsh}/config`, sshConfig);

        console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for GitHub repository ${ownerAndRepo}`);
    });

} catch (error) {

    if (error.code == 'ENOENT') {
        console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
        console.log(`PATH is set to: ${process.env.PATH}`);
    }

    core.setFailed(error.message);
}
Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00			`const core = require('@actions/core');`
			`const child_process = require('child_process');`
			`const fs = require('fs');`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00			`const crypto = require('crypto');`
Allow the user to override the commands for `git`, `ssh-agent`, and `ssh-add` (#154) On my self-hosted Windows runners, the `git`, `ssh-agent`, and `ssh-add` commands are not located in the locations that are currently hard-coded in `paths.js`. With this PR, I am able to get this action to work on my runners as follows: ```yaml - uses: webfactory/ssh-agent@... with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} git-cmd: git ssh-agent-cmd: ssh-agent ssh-add-cmd: ssh-add ``` 2023-01-27 17:09:18 +00:00			`const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = require('./paths.js');`
Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00
			`try {`
Remove redundant .trim() 2020-02-06 18:09:44 +00:00			`const privateKey = core.getInput('ssh-private-key');`
Add an action input/flag to disable logging of public key information (#122) This commit adds the new `log-public-key` action input. Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100. Co-authored-by: Matthias Pigulla <mp@webfactory.de> 2022-10-19 10:41:11 +00:00			`const logPublicKey = core.getBooleanInput('log-public-key', {default: true});`
Exit with a helpful error message when the secret has not been configured 2020-01-14 09:29:16 +00:00
Allow the user to override the commands for `git`, `ssh-agent`, and `ssh-add` (#154) On my self-hosted Windows runners, the `git`, `ssh-agent`, and `ssh-add` commands are not located in the locations that are currently hard-coded in `paths.js`. With this PR, I am able to get this action to work on my runners as follows: ```yaml - uses: webfactory/ssh-agent@... with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} git-cmd: git ssh-agent-cmd: ssh-agent ssh-add-cmd: ssh-add ``` 2023-01-27 17:09:18 +00:00			`const sshAgentCmdInput = core.getInput('ssh-agent-cmd');`
			`const sshAddCmdInput = core.getInput('ssh-add-cmd');`
			`const gitCmdInput = core.getInput('git-cmd');`

			`const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault;`
			`const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault;`
			`const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault;`

Exit with a helpful error message when the secret has not been configured 2020-01-14 09:29:16 +00:00			`if (!privateKey) {`
			`core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");`

			`return;`
			`}`

Provide `gitPath` for Windows to avoid failures on `windows-2022` (GitHub-hosted runner) (#137) ### Problem: Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found. ### Issue: Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 ### Solution: This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems. ### Caveats: No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does). 2022-10-19 11:27:50 +00:00			`const homeSsh = homePath + '/.ssh';`
style: lint just reviewing and noticed a missing space 2020-03-03 00:41:12 +00:00			`fs.mkdirSync(homeSsh, { recursive: true });`
Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00
			`console.log("Starting ssh-agent");`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00
Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00			`const authSock = core.getInput('ssh-auth-sock');`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];`
Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27) Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts. 2020-05-18 07:08:29 +00:00
			`// Extract auth socket path and agent pid and set them as job variables`
Provide `gitPath` for Windows to avoid failures on `windows-2022` (GitHub-hosted runner) (#137) ### Problem: Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found. ### Issue: Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 ### Solution: This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems. ### Caveats: No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does). 2022-10-19 11:27:50 +00:00			`child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`const matches = /^(SSH_AUTH_SOCK\|SSH_AGENT_PID)=(.*); export \1/.exec(line);`

Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27) Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts. 2020-05-18 07:08:29 +00:00			`if (matches && matches.length > 0) {`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`// This will also set process.env accordingly, so changes take effect for this script`
Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27) Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts. 2020-05-18 07:08:29 +00:00			`core.exportVariable(matches[1], matches[2])`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			console.log(`${matches[1]}=${matches[2]}`);
Randomize SSH auth socket, kill agent to support non-ephemeral, self hosted runners (@thommyhh, #27) Thanks to @thommyhh for this contribution! Unless the `SSH_AUTH_SOCK` is configured explicitly, this change will make the SSH agent use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on non-ephemeral, self-hosted runners. A new post-action step will automatically clean up the running agent at the end of a job. Be aware of the possible security implications: Two jobs running on the same runner might be able to access each other's socket and thus access repositories and/or hosts. 2020-05-18 07:08:29 +00:00			`}`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`});`

			`console.log("Adding private key(s) to agent");`
Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00
Exit with a helpful error message when the secret has not been configured 2020-01-14 09:29:16 +00:00			`privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {`
Provide `gitPath` for Windows to avoid failures on `windows-2022` (GitHub-hosted runner) (#137) ### Problem: Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found. ### Issue: Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 ### Solution: This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems. ### Caveats: No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does). 2022-10-19 11:27:50 +00:00			`child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });`
Support multiple SSH keys (#14) * Support concatenation of multiple private keys in the given secret * Add a changelog 2020-01-14 09:21:11 +00:00			`});`
Exit with a helpful error message when the secret has not been configured 2020-01-14 09:29:16 +00:00
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`console.log("Key(s) added:");`

Provide `gitPath` for Windows to avoid failures on `windows-2022` (GitHub-hosted runner) (#137) ### Problem: Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found. ### Issue: Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 ### Solution: This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems. ### Caveats: No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does). 2022-10-19 11:27:50 +00:00			`child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00
			`console.log('Configuring deployment key(s)');`
Exit with a helpful error message when the secret has not been configured 2020-01-14 09:29:16 +00:00
Avoid nonsensical log message (#139) This change avoids the `Comment for (public) key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.` log message that was caused by inappropriate parsing of `ssh-add -L` output and confused a lot of users already. 2022-10-19 12:54:52 +00:00			`child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {`
Use case-insensitive regex matching when scanning key comments Resolves #68, closes #70, closes #71. Co-authored-by: Sean Killeen <SeanKilleen@gmail.com> 2021-03-17 18:27:52 +00:00			`const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`if (!parts) {`
Add an action input/flag to disable logging of public key information (#122) This commit adds the new `log-public-key` action input. Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100. Co-authored-by: Matthias Pigulla <mp@webfactory.de> 2022-10-19 10:41:11 +00:00			`if (logPublicKey) {`
			console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
			`}`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00			`return;`
			`}`

Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			`const sha256 = crypto.createHash('sha256').update(key).digest('hex');`
			`const ownerAndRepo = parts[1].replace(/\.git$/, '');`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00
Provide `gitPath` for Windows to avoid failures on `windows-2022` (GitHub-hosted runner) (#137) ### Problem: Observed error on `windows-2022` ([GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)) that `git` command cannot be found. ### Issue: Cannot find git executable on on windows-2022 (GitHub-hosted runner) #136 ### Solution: This path improvement makes use of existing `path.js` to resolve and return correct `git.exe` path for Windows, leaving the executable name as it was for other operating systems. ### Caveats: No idea how and why this `c://progra~1//git//usr//bin//git.exe` mumbo-jumbo works but it apparently did for other executables so figured it should work for `git.exe` (and it does). 2022-10-19 11:27:50 +00:00			child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
			child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
			child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			const sshConfig = `\nHost key-${sha256}.github.com\n`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00			+ ` HostName github.com\n`
Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			+ ` IdentityFile ${homeSsh}/key-${sha256}\n`
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00			+ ` IdentitiesOnly yes\n`;

			fs.appendFileSync(`${homeSsh}/config`, sshConfig);

Windows virtual environment: Use SSH binaries from the Git suite (#63) * Use SSH binaries from the Git suite * Try to kill the ssh-agent upon action termination on Windows as well 2021-03-10 07:19:17 +00:00			console.log(`Added deploy-key mapping: Use identity '${homeSsh}/key-${sha256}' for GitHub repository ${ownerAndRepo}`);
Add support for GitHub Deployment Keys through key comments (#59) Fixes #30, closes #38. 2021-02-19 13:37:34 +00:00			`});`

Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00			`} catch (error) {`
Handle ENOENT exceptions with a graceful message 2021-03-05 20:17:14 +00:00
			`if (error.code == 'ENOENT') {`
			console.log(`The '${error.path}' executable could not be found. Please make sure it is on your PATH and/or the necessary packages are installed.`);
			console.log(`PATH is set to: ${process.env.PATH}`);
			`}`

Write GH action to set up ssh keys for private repos 2019-09-14 22:28:16 +00:00			`core.setFailed(error.message);`
			`}`