What is the proper private key format?

[ryanzidago]

Hi there,

I'm trying to fetch private repo as a dependency in GitHub Actions for an Elixir/Phoenix application.

• I created a new public/private key pair with the ssh-keygen -t ed25519 -a 100 -f /home/ryan/.ssh/github_actions command and without any passphrase
• I copied the private key using xclip -sel clip < ~/.ssh/github_actions and pasted the content in the secret config of the GitHub repository where I wish to run the GitHub Actions with the title SSH_PRIVATE_KEY
• I copied the public key using xclip -sel clip < ~/.ssh/github_actions.pub and pasted the content in the deploy_key config of GitHub under the title GITHUB_ACTIONS_DEPLOY_KEYS
• I added these lines in my workflow definition file:

• uses: webfactory/ssh-agent@v0.3.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

• then I commited the changes/pushed the changes to the repo and let GHA works. However, I get the following error message when the steps for fetching dependencies is triggered:

  
  Load key "/home/runner/.ssh/id_rsa": invalid format
  git@github.com: Permission denied (publickey).
  fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists. ** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed

[error]Process completed with exit code 1.

Apparently, the key format is wrong. Which key format should be used?

[mpdude]

Strange – at first, this all looks right.

What seems strange to me is that the ssh-agent tries to read from .ssh/id_rsa, although we never put the key there. It's read from STDIN.

In my test runs, the action output looks like this:

Run webfactory/ssh-agent@v0.3.0
  with:
    ssh-private-key: ***
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ((stdin))
Keys added:
4096 SHA256:/XOu...long.id.here...R1kaI (stdin) (RSA)

Do you see this output as well before your dependency-fetching step starts?

[ryanzidago]

I have something almost similar:

Run webfactory/ssh-agent@v0.3.0
  with:
    ssh-private-key: ***
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) (ryan@name_of_my_computer)
Keys added:
256 SHA256:/XOu...long.id.here...R1kaI ryan@name_of_my_computer (ED25519)

Don't know if it matters, but as you can see, sometime stdin is replaced by ryan@name_of_my_computer and the line after keys added starts with 256 instead of 4096. Aslo RSA is replaced with ED25519.

[mpdude]

No, that's not an issue. It's a comment field embedded in the SSH key, and it's the type and length of the key. That's all fine IMO.

Could you add run: git clone {ssh-url-for-your-private-repo} right after the webfactory/ssh-agent action step? That way, we could check if a simple, plain git clone works for the repo and the key.

[ryanzidago]

I get that:

Cloning into 'my_private_dependency'...
Warning: Permanently added the RSA host key for IP address 'some_IP' to the list of known hosts.
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
##[error]Process completed with exit code 128.

So I cannot simply clone the repo. From what I understood, I shouldn't have to configure anything on the private repo side or?

[mpdude]

I copied the public key using xclip -sel clip < ~/.ssh/github_actions.pub and pasted the content in the deploy_key config of GitHub under the title GITHUB_ACTIONS_DEPLOY_KEYS

I've understood this as that you added the public part of the SSH key as a deployment key in the private repo – haven't you?

A deployment key tells GitHub that the owner of the private key part (your GHA workflow in this case) is entitled to clone the repository, also if it is private. You need to make sure that cloning happens with a SSH URL, which should look like git@github.com:webfactory/ssh-agent.git.

[ryanzidago]

@mpdude

I had the deploy key set up on the repository where the GitHubActions were triggered, not the private dependency itself. Now GHA can finally clone/fetch the private dependency.

Many thanks!

[mpdude]

Could you do me a favor and re-read the README file? Is there anything missing or worded unprecisely that could have saved you the hassle?

[kai490952010]

@mpdude I'm going through something identical here. Have set public key as Deploy Keys in the private repo. And, set private key as Secret in the repo running github actions. Only difference between the issue and my case, is that I'm trying to install the private git repo via pipenv. Any idea what could be causing this error ?

FAIL
ERROR:pip.subprocessor:Command errored out with exit status 128:
 command: git clone -q ssh://github.com/kai490952010/<repo>.git /tmp/pipenv-5x2u39s9-src/csci-utils
     cwd: None
Complete output (6 lines):
Warning: Permanently added the RSA host key for IP address '140.82.114.3' to the list of known hosts.
runner@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.