Action fails with Permission denied (publickey).

[emarchak]

Describe the bug I've tried to set up the action as per the instructions, but I keep getting a failure based on my public key. I've triple checked my configuration on WP Engine and Github with ssh keys, confirmed that my env name is correct, waited a few days for the keys to propagate and confirmed there is no whitespace.

Not sure what else I could do to debug this. I expect that i'll be moving off of this plugin and using https://github.com/webfactory/ssh-agent instead.

Log is included below.

To reproduce

I followed the instructions as exactly as possible (Really!) I tried the secret at the org leve and the repo level, with no changes. The repo is private, but here's my workflows/deploy.yml config:

name: Deploy to WP Engine
on:
  push:
    branches:
      - main
      - fix/workflow
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    - name: Deploy to WP Engine
      uses: wpengine/github-action-wpe-site-deploy@v3
      with:
        WPE_SSHG_KEY_PRIVATE: ${{ secrets.WPE_SSHG_KEY_PRIVATE }}
        WPE_ENV: <env name>

Expected behavior

I'd expect the public key to be accepted by wp engine.

Build Output & Screenshots

Action logs

``` Deploying refs/heads/fix/workflow to ... # .ssh.wpengine.net:22 SSH-2.0-Go prepping file perms... file perms set... Skipping PHP Linting. OpenSSH_8.4p1, OpenSSL 1.1.1k 25 Mar 2021 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to .ssh.wpengine.net [35.224.26.249] port 22. debug1: Connection established. debug1: identity file /github/home/.ssh/github_action type 3 debug1: identity file /github/home/.ssh/github_action-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4 debug1: Remote protocol version 2.0, remote software version Go debug1: no match: Go debug1: Authenticating to .ssh.wpengine.net:22 as 'wpe_gha+' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve255[19](https://github.com///actions/runs/3371051162/jobs/5643766002#step:5:20)-sha256@libssh.org debug1: kex: host key algorithm: rsa-sha2-512 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-rsa SHA256:********** Warning: Permanently added '.ssh.wpengine.net,35.[22](https://github.com///actions/runs/3371051162/jobs/5643766002#step:5:23)4.26.[24](https://github.com///actions/runs/3371051162/jobs/5643766002#step:5:25)9' (RSA) to the list of known hosts. debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /github/home/.ssh/github_action ED[25](https://github.com///actions/runs/3371051162/jobs/5643766002#step:5:26)519 SHA256::********** explicit debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /github/home/.ssh/github_action ED25519 SHA256::********** explicit debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. wpe_gha+@.ssh.wpengine.net: Permission denied (publickey). ```

Version information

• Action version: 3
• Git version: actions/checkout@v3
• WordPress version: 6.0.2
• Operating system: ubuntu-latest

Additional context

[emarchak]

I ended up getting the deploy to work with kielabokkie/ssh-key-and-known-hosts-action@v1 and a bash script. I think the error would be contained within this action.

[emarchak]

For anyone else, here's the script that I used that bypassed this action. I didn't really need it in the end 👇 (remember to replace <site name>)

name: Deploy to WP Engine
on:
  push:
    branches:
      - main
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    - name: Setup SSH Agent
      uses: kielabokkie/ssh-key-and-known-hosts-action@v1
      with:
        ssh-private-key: ${{ secrets.WPE_SSHG_KEY_PRIVATE }}
        ssh-host: git.wpengine.com
    - name: Check WP Engine connection
      run: ssh git@git.wpengine.com info
    - name: Deploy to WP Engine
      run: |
        echo "Deploying to production server on branch $GITHUB_REF"
        git remote add prod git@git.wpengine.<site name>.git
        git push -v -o remove-empty-dirs prod $GITHUB_REF

[gfirem]

I'm having the same issue

[gfirem]

I'm having the same issue. I don't understand why is authenticating with wpe_gha

debug1: Authenticating to <env name>.ssh.wpengine.net:22 as 'wpe_gha+<env name>'

[Jorgu5]

+1 anyone can fix this?

[colorful-tones]

@emarchak I'm wondering if it might be related to uses: actions/checkout@v3? I believe this action relies upon uses: actions/checkout@v2 🤔

[Jorgu5]

@colorful-tones It happens to me on @v2.

[colorful-tones]

@gfirem @Jorgu5 are you both running Actions from a private repo? I'm just trying to get some debugging leads.

FWIW - I just did a successful deployment and I'm writing up a tutorial on using Composer, which should likely be published in the next week or two. Here is a final code though and where I've successfully run deploys: https://github.com/colorful-tones/wpe-deploy-composer

[Jorgu5]

@colorful-tones yes, I'm running from a private repo. Thanks, I'll check!

[daniel-savo]

@Jorgu5 @gfirem @emarchak could you contact support and reference this issue? That will enable us to get a bit more information used to troubleshoot the issue.

In the meantime I've created a ticket our our end and we're looking into it.

[Jorgu5]

@daniel-savo that's what I did 2 days ago, and I thought that was the result of @colorful-tones replying here :)

[daniel-savo]

@Jorgu5 Perfect, that will help significantly with troubleshooting. Thank you!

[daniel-savo]

We recently published the following guided instructions in our portal that might help troubleshoot the issue, as we look into things on our end.

[Jorgu5]

Thanks, @daniel-savo, however, I've done exactly the steps described in this guide and this does not solve the problem, still getting permission denied. Also, tried both on public and private repositories and the effect is the same.

For reference, my .yml is like this:

name: Deploy to WP Engine
on: 
  push: 
    branches: 
      - test 
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Install
        run: yarn install
      - name: Build
        run: yarn build
      - name: GitHub Action Deploy to WP Engine
        uses: wpengine/github-action-wpe-site-deploy@v3
        with:
          WPE_SSHG_KEY_PRIVATE: ${{ secrets.WPE_SSH_KEY_PRIVATE }}
          WPE_ENV: ${{ secrets.WPE_ENVIRONMENT_QA }}
          REMOTE_PATH: "wp-content/themes/edubin-child/"
          CACHE_CLEAR: TRUE

[daniel-savo]

@Jorgu5 could you try again? There was a file permissions issue on your site that should have been the cause of the deployment failure, which has been fixed.

[Jorgu5]

Still the same, here is the full debug trace from this action https://i.imgur.com/xcGNFeY.jpg

[daniel-savo]

@Jorgu5 Interesting. Before we dig even deeper, I hate to ask you, but could you submit your site name in a chat with CX? In your previous interaction it was identified by the site URL, which can be changed and moved around.

That way we can be certain we're looking into the right one and can therefore perform some additional investigation.

[daniel-savo]

@Jorgu5 One additional note: the SSH key is different from the one you've uploaded for Git push, it uses the ones uploaded in the SSH key section under your profile (or in step 2 of the aforementioned guide).

It's a limitation of the current implementation, and we realize it's confusing, which is why we're working on changing that in the future.

[Jorgu5]

What is CX? I know about the SSH key, thanks for pointing that out. I'm certain I'm using the proper key.

[daniel-savo]

Customer Support. With the exact site name, we can remove some of the guesswork and dig some more.

[daniel-savo]

@Jorgu5 Thank you for reaching out to support, we can now see the logs associated with your connection attempts. The bad news is that we now know for a fact that the connections are being rejected because none of the SSH keys you've uploaded match the ones being presented by the GitHub Action SSH client.

So my recommendation would be to work with customer support to go over the SSH key upload process and double check things, as that is absolutely the issue here.

[daniel-savo]

Closing as this has been confirmed to be a client-side configuration issue.