Checkout: SSH key not available in container actions

Created on 8 Jul 2020  路  2Comments  路  Source: actions/checkout

An SSH key specified with ssh-key does not seem to be available in container actions (actions running Docker containers).

Steps to reproduce

Setup a workflow like this:

name: ssh-key-container-action-test
on: [push]
jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          repository: frigus02/my-repo
          path: my-repo
          ssh-key: ${{ secrets.DEPLOY_KEY }}
      - uses: stefanprodan/kube-tools@v1
        with:
          command: |
            cd $GITHUB_WORKSPACE/my-repo
            echo "hello" >world.txt
            git commit -am "hello"
            git push

You will get an error like this:

Warning: Identity file /home/runner/work/_temp/fef9d352-63de-413a-8fc0-6d439e3d354f not accessible: No such file or directory.
No RSA host key is known for github.com and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Error analysis

I assume that the actual action stefanprodan/kube-tools@v1 doesn't matter. The reason seems to be that it runs in a Docker container. The command that the action runs is (line breaks added for readability):

/usr/bin/docker run --name stefanprodankubetoolsv150_3ec838 --label 3888d3 --workdir /github/workspace --rm \
  -e DOCKER_CONFIG -e TAG -e DIGEST -e INPUT_KUSTOMIZE -e INPUT_COMMAND -e INPUT_KUBECTL -e INPUT_HELM -e INPUT_HELMV3 \
  -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH \
  -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE \
  -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true \
  -v "/var/run/docker.sock":"/var/run/docker.sock" \
  -v "/home/runner/work/_temp/_github_home":"/github/home" \
  -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
  -v "/home/runner/work/my-repo/my-repo":"/github/workspace" \
  stefanprodan/kube-tools:v1.5.0  "cd $GITHUB_WORKSPACE/my-repo
echo "hello" >world.txt
git commit -am "hello"
git push
" "" "" "" ""

The checkout action logged earlier in the build:

Temporarily overriding GIT_SSH_COMMAND="/usr/bin/ssh" -i "$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f_known_hosts"

I also logged the $RUNNER_TEMP variable and found that it points to /home/runner/work/_temp. This directoy is not mounted in the Docker container, which makes me think that all container actions will have this problem.

Side note: authenticating with a personal access token and the token option works fine, also later on in container actions.

bug

Most helpful comment

I created a minimal example to reproduce the problem and for me to understand it better: https://github.com/frigus02/test-github-container-action-ssh-key. The latest build failed with the above error message.

The problem is not the GIT_SSH_COMMAND environment variable. It's not available in container actions. I think the checkout action sets core.sshCommand in the local git config. When I access a git remote in a container action, it will try to use the provided command. However the specified SSH key does not exist, because it's not mounted.

I realize now that this might be quite a rare issue. It requires you to use an SSH key, a container action with the necessary tools installed (git, ssh) and then access a git remote in the action.

I should probably re-frame this issue as a feature request. It would be amazing if SSH keys would "just work" in container actions 馃檪.

All 2 comments

@TingluoHuang do you see any reason why RUNNER_TEMP shouldn't be mounted into a container action? I think that's the correct solution to fix this bug. Thoughts?

I created a minimal example to reproduce the problem and for me to understand it better: https://github.com/frigus02/test-github-container-action-ssh-key. The latest build failed with the above error message.

The problem is not the GIT_SSH_COMMAND environment variable. It's not available in container actions. I think the checkout action sets core.sshCommand in the local git config. When I access a git remote in a container action, it will try to use the provided command. However the specified SSH key does not exist, because it's not mounted.

I realize now that this might be quite a rare issue. It requires you to use an SSH key, a container action with the necessary tools installed (git, ssh) and then access a git remote in the action.

I should probably re-frame this issue as a feature request. It would be amazing if SSH keys would "just work" in container actions 馃檪.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

aaronsteers picture aaronsteers  路  3Comments

luludan picture luludan  路  5Comments

pdcmoreira picture pdcmoreira  路  3Comments

rectalogic picture rectalogic  路  5Comments

bk2204 picture bk2204  路  3Comments