checkout icon indicating copy to clipboard operation
checkout copied to clipboard
verified publisher icon actions

SSH key not available in container actions

Open frigus02 opened this issue 5 years ago • 3 comments

An SSH key specified with ssh-key does not seem to be available in container actions (actions running Docker containers).

Steps to reproduce

Setup a workflow like this:

name: ssh-key-container-action-test
on: [push]
jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          repository: frigus02/my-repo
          path: my-repo
          ssh-key: ${{ secrets.DEPLOY_KEY }}
      - uses: stefanprodan/kube-tools@v1
        with:
          command: |
            cd $GITHUB_WORKSPACE/my-repo
            echo "hello" >world.txt
            git commit -am "hello"
            git push

You will get an error like this:

Warning: Identity file /home/runner/work/_temp/fef9d352-63de-413a-8fc0-6d439e3d354f not accessible: No such file or directory.
No RSA host key is known for github.com and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Error analysis

I assume that the actual action stefanprodan/kube-tools@v1 doesn't matter. The reason seems to be that it runs in a Docker container. The command that the action runs is (line breaks added for readability):

/usr/bin/docker run --name stefanprodankubetoolsv150_3ec838 --label 3888d3 --workdir /github/workspace --rm \
  -e DOCKER_CONFIG -e TAG -e DIGEST -e INPUT_KUSTOMIZE -e INPUT_COMMAND -e INPUT_KUBECTL -e INPUT_HELM -e INPUT_HELMV3 \
  -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH \
  -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE \
  -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true \
  -v "/var/run/docker.sock":"/var/run/docker.sock" \
  -v "/home/runner/work/_temp/_github_home":"/github/home" \
  -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
  -v "/home/runner/work/my-repo/my-repo":"/github/workspace" \
  stefanprodan/kube-tools:v1.5.0  "cd $GITHUB_WORKSPACE/my-repo
echo "hello" >world.txt
git commit -am "hello"
git push
" "" "" "" ""

The checkout action logged earlier in the build:

Temporarily overriding GIT_SSH_COMMAND="/usr/bin/ssh" -i "$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/fef9d352-63de-413a-8fc0-6d439e3d354f_known_hosts"

I also logged the $RUNNER_TEMP variable and found that it points to /home/runner/work/_temp. This directoy is not mounted in the Docker container, which makes me think that all container actions will have this problem.

Side note: authenticating with a personal access token and the token option works fine, also later on in container actions.

frigus02 avatar Jul 08 '20 14:07 frigus02

@TingluoHuang do you see any reason why RUNNER_TEMP shouldn't be mounted into a container action? I think that's the correct solution to fix this bug. Thoughts?

ericsciple avatar Jul 13 '20 01:07 ericsciple

I created a minimal example to reproduce the problem and for me to understand it better: https://github.com/frigus02/test-github-container-action-ssh-key. The latest build failed with the above error message.

The problem is not the GIT_SSH_COMMAND environment variable. It's not available in container actions. I think the checkout action sets core.sshCommand in the local git config. When I access a git remote in a container action, it will try to use the provided command. However the specified SSH key does not exist, because it's not mounted.

I realize now that this might be quite a rare issue. It requires you to use an SSH key, a container action with the necessary tools installed (git, ssh) and then access a git remote in the action.

I should probably re-frame this issue as a feature request. It would be amazing if SSH keys would "just work" in container actions 🙂.

frigus02 avatar Jul 13 '20 11:07 frigus02

@ericsciple Is there any chance of this being fixed?

I ran into this recently while trying to leverage an action that utilizes a container, leading to much head scratching.

As @frigus02 notes, the SSH command var is properly updated but the contents of that directory are not mounted in containers.

Example code that will fail.

name: Generate terraform docs
on:
  push:
    branches:
      - master
jobs:
  docs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        ref: master
        ssh-key: ${{secrets.DEPLOY_KEY}}
    - name: Render terraform docs inside the README.md and push changes back to PR branch
      uses: terraform-docs/[email protected]
      with:
        find-dir: ./
        #output-file: README.md
        #output-method: inject
        git-push: "true"

The upstream for this can be found at

https://github.com/terraform-docs/gh-actions/blob/main/action.yml

As far as I can tell, there is no way for me to mount the directory in question into a Docker container via an action.yml.

I don't see how this is resolvable for end users without Github's intervention.

rtizzy avatar Oct 16 '24 13:10 rtizzy