mirror of
https://github.com/webfactory/ssh-agent.git
synced 2024-11-21 16:50:50 +00:00
Add an action input/flag to disable logging of public key information (#122)
This commit adds the new `log-public-key` action input. Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100. Co-authored-by: Matthias Pigulla <mp@webfactory.de>
This commit is contained in:
parent
28cb4d8505
commit
fbef2c7bd0
5 changed files with 23 additions and 4 deletions
|
@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
* Add the `log-public-key` input that can be used to turn off logging key identities (#122)
|
||||||
|
|
||||||
## v0.6.0 [2022-10-19]
|
## v0.6.0 [2022-10-19]
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
|
@ -76,7 +76,16 @@ To support picking the right key in this use case, this action scans _key commen
|
||||||
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
|
3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
|
||||||
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
|
4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
|
||||||
|
|
||||||
|
## Action Inputs
|
||||||
|
|
||||||
|
The following inputs can be used to control the action's behavior:
|
||||||
|
|
||||||
|
* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
|
||||||
|
* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
|
||||||
|
* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
|
||||||
|
|
||||||
## Exported variables
|
## Exported variables
|
||||||
|
|
||||||
The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
|
The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
|
||||||
The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
|
The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
|
||||||
The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
|
The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
|
||||||
|
|
|
@ -6,6 +6,10 @@ inputs:
|
||||||
required: true
|
required: true
|
||||||
ssh-auth-sock:
|
ssh-auth-sock:
|
||||||
description: 'Where to place the SSH Agent auth socket'
|
description: 'Where to place the SSH Agent auth socket'
|
||||||
|
log-public-key:
|
||||||
|
description: 'Whether or not to log public key fingerprints'
|
||||||
|
required: false
|
||||||
|
default: true
|
||||||
runs:
|
runs:
|
||||||
using: 'node16'
|
using: 'node16'
|
||||||
main: 'dist/index.js'
|
main: 'dist/index.js'
|
||||||
|
|
6
dist/index.js
vendored
6
dist/index.js
vendored
|
@ -326,6 +326,7 @@ const { home, sshAgent, sshAdd } = __webpack_require__(972);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const privateKey = core.getInput('ssh-private-key');
|
const privateKey = core.getInput('ssh-private-key');
|
||||||
|
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
|
||||||
|
|
||||||
if (!privateKey) {
|
if (!privateKey) {
|
||||||
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
|
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
|
||||||
|
@ -374,8 +375,9 @@ try {
|
||||||
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
|
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
|
||||||
|
|
||||||
if (!parts) {
|
if (!parts) {
|
||||||
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
|
if (logPublicKey) {
|
||||||
|
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
6
index.js
6
index.js
|
@ -6,6 +6,7 @@ const { home, sshAgent, sshAdd } = require('./paths.js');
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const privateKey = core.getInput('ssh-private-key');
|
const privateKey = core.getInput('ssh-private-key');
|
||||||
|
const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
|
||||||
|
|
||||||
if (!privateKey) {
|
if (!privateKey) {
|
||||||
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
|
core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
|
||||||
|
@ -54,8 +55,9 @@ try {
|
||||||
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
|
const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
|
||||||
|
|
||||||
if (!parts) {
|
if (!parts) {
|
||||||
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
|
if (logPublicKey) {
|
||||||
|
console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue