search

shimataro / ssh-key-action

GitHub Action that installs SSH key to .ssh
https://github.com/marketplace/actions/install-ssh-key
MIT License
581 stars 87 forks source link

Does the ssh key get left on the runner? #199

Closed menasheh closed 1 year ago

menasheh commented 2 years ago

Will the ssh-key and authorized keys be removed from the runner at the end of workflow execution?

DavraYoung commented 2 years ago

I am also interested in this question. Is it safe to leave private ssh keys on github cloud runners?

kiweezi commented 2 years ago

Likewise!

shimataro commented 2 years ago

Is it safe to leave private ssh keys on github cloud runners?

According to this document, it seems to be safe because decommissioned automatically.

When the job has finished, the VM is automatically decommissioned.

I think we need to remove not only SSH keys but also all source codes if VM is reused by someone :thinking:

kiweezi commented 2 years ago

Is it safe to leave private ssh keys on github cloud runners?

According to this document, it seems to be safe because decommissioned automatically.

When the job has finished, the VM is automatically decommissioned.

I think we need to remove not only SSH keys but also all source codes if VM is reused by someone 🤔

Thanks for the response! That is for GitHub's own runners. I agree that it's likely safe to leave the key on them.

In my org's case, we use hosted runners. removing the ssh key would be beneficial to us as we use these VMs for lots of different kinds of workflows. It's also a risk leaving all our keys on one VM!

shimataro commented 2 years ago

@kiweezi Thanks for your supplementary comments!

Unfortunately, ssh-key-action cannot remove keys by itself after workflow finishes. You might want to append below lines to step in your YAML file.

    - name: remove SSH keys
      run: rm -rf ~/.ssh
      if: ${{ always() }}
kiweezi commented 2 years ago

@shimataro Thanks for your prompt response! We've been using something similar to your suggestion for a while now, so thanks for sharing!

Is it not possible for this feature to be added to the action? Or maybe your example should be added to the readme? That way people with hosted runners will be more likely to use this action :).

Either way, appreciate your response and discussion on it!

shimataro commented 2 years ago

@kiweezi

Is it not possible for this feature to be added to the action?

Probably not. From what I read the document, it seems that there are no way to cleanup after action is done. Pleas let me know if you find a good way!

Or maybe your example should be added to the readme?

It's a good idea! I will add to "Q&A" section later. thanks!

shimataro commented 1 year ago

Hi, I found a good way and released new version.

Please try using!