actions-gh-pages
actions-gh-pages copied to clipboard
peaceiris
support: GHES ssh-keyscan
Checklist
- [X] I am using the latest version of this action.
- [X] I have read the latest README and followed the instructions.
- [X] I have read the latest GitHub Actions official documentation and learned the basic spec and concepts.
Describe your question
Hi,
This is a question related to GHES support #580 (thanks for this)! @mambax if you are still around, could you explain the puropose of the change in https://github.com/peaceiris/actions-gh-pages/commit/3623583f73a5cfb5ca3632d6234b9564fed73239 near this line. https://github.com/peaceiris/actions-gh-pages/blob/05d272de6c06158771c3e91ba690aaaabc0c416f/src/set-tokens.ts#L26
I'm in the process of switching to deploy keys in our GEHS instance, and I was wandering how the ssh-key-scan is done via the action. My understanding is this is not done, and one have to perform the key scan 'outside'.
The issue with the current code is that it takes the target url (my GHES) and write down the signature of github.com RSA key. Still, if I'm not mistaken, before #580 the intent was to append github.com to the list of known hosts.
Target GHES leads to (obvioulsy) have a different server url, and so the entry added to known_hosts is wrong. We have GHES host with github.com key.
@peaceiris I don't think the solution proposed in #719 is a resolution, it is a workaround. The issue here with deploy keys is thaht we dot not add the right key. Plus, the action should only add things inside know_hosts (in a GHES context this file might contains stuff you do not want to override).
Relevant links
- name: Deploy to GitHub Pages
uses: peaceiris/[email protected]
with:
deploy_key: ${{ secrets.GH_PAGES_DEPLOY }}
publish_dir: ./build
user_name: github-actions[bot]
user_email: 41898282+github-actions[bot]@users.noreply.github.com
Relevant log output
/usr/bin/git push origin gh-pages
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for XXXXXXX has changed,
and the key for the corresponding IP address 10.236.176.162
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:o4C9b0Qg4Dqq..........................IP/nV+A.
Please contact your system administrator.
Add correct host key in /home/ghactions/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/ghactions/.ssh/known_hosts:2
remove with:
ssh-keygen -f "/home/ghactions/.ssh/known_hosts" -R "XXXXXXXXXXXXX"
RSA host key for XXXXXXXXXXXXXXXXXXX has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Additional context.
ssh keyscan toward github :
ssh-keyscan -t rsa github.com
# github.com:22 SSH-2.0-babeld-01b97e8f
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
Exactly waht we have here
also having same problem... it is a big problem for us since we use shared runners and editing /etc/ssh/ssh_config is not an option as a workaround defined here: https://github.com/peaceiris/actions-gh-pages/issues/719
