search

webfactory / ssh-agent

GitHub Action to setup `ssh-agent` with a private key
MIT License
1.22k stars 253 forks source link

Doesn't work for self-hosted runners that are nobodies (no `passwd` entry) #188

Open javbit opened 1 year ago

javbit commented 1 year ago

The use of os.userInfo().homedir depends on a /etc/passwd entry, which in some hardened setups may not exist. os.homedir(), which just depends on $HOME, is more more likely to be right.

For example, it thinks my user's home is / which is breaking things when my runtime home is actually /run/github-runner/runner-2.

javbit commented 1 year ago

I'm working on a PR to handle this issue, will link when ready.

javbit commented 1 year ago

I made a PR, and it solves the immediate failure case. However, I'm now seeing the following error:

Run git clone git@github.com:javbit/foo.git
  shell: /bin/bash -e {0}
  env:
    SSH_AUTH_SOCK: /tmp/ssh-XXXXXX9t0fhl/agent.561530
    SSH_AGENT_PID: 561531
Cloning into 'foo'...
ssh: Could not resolve hostname key-fd80f028b988cd54b2c736f6496796d4d46383315756a21b9cbba1b1b7928385.github.com: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Error: Process completed with exit code 128.

(Edited slightly for clarity and confidentiality. Namely condensed list of private repositories to the single foo.)

I've added the GitHub host key to my ssh known hosts before running this step, so I think that should be good.

      - run: >
          echo github.com
          ssh-ed25519
          AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
          >> "$HOME/.ssh/known_hosts"

I only set ED25519 deploy keys so I didn't add the other host keys.

Any idea what's going on? Name resolution seems fine when I ping github.com, but doesn't work for the key-*.github.com one, both on my CI machine and my local.

Seems to be caused by this: https://github.com/webfactory/ssh-agent/blob/d4b9b8ff72958532804b70bbe600ad43b36d5f2e/index.js#L71-L73

javbit commented 1 year ago

Never mind, I missed this important section right after! https://github.com/webfactory/ssh-agent/blob/d4b9b8ff72958532804b70bbe600ad43b36d5f2e/index.js#L71-L78

I see what's going on now, and am trying to figure out why ssh isn't picking this config up.

javbit commented 1 year ago

Resolution was to manually set the Git SSH command to reference the config file that was generated. I'll add this to my PR.

git config --global core.sshCommand "ssh -F $HOME/.ssh//config"