From fd34b8dee206fe74b288a5e61bc95fba2f1911eb Mon Sep 17 00:00:00 2001 From: wolf++ Date: Thu, 2 Nov 2023 09:03:13 -0700 Subject: [PATCH 01/12] Update README.md to reflect latest version (#196) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 46c74a5..96f0dae 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ jobs: ... steps: - uses: actions/checkout@v3 - # Make sure the @v0.7.0 matches the current version of the action - - uses: webfactory/ssh-agent@v0.7.0 + # Make sure the @v0.8.0 matches the current version of the action + - uses: webfactory/ssh-agent@v0.8.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} # ... other steps @@ -52,7 +52,7 @@ You can set up different keys as different secrets and pass them all to the acti ```yaml # ... contents as before - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@v0.8.0 with: ssh-private-key: | ${{ secrets.FIRST_KEY }} From 2e59dd7d06f6a994bb6366e0639c13fb756e8bb6 Mon Sep 17 00:00:00 2001 From: Benjamin Ragheb Date: Mon, 5 Feb 2024 01:37:14 -0500 Subject: [PATCH 02/12] Remove outdated claim from README (#206) Since #171 was merged, this action no longer touches `known_hosts`; this line should have been removed from the README at that time. --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 96f0dae..253a405 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,9 @@ # `ssh-agent` GitHub Action -This action -* starts the `ssh-agent`, -* exports the `SSH_AUTH_SOCK` environment variable, -* loads one or several private SSH key into the agent and -* configures `known_hosts` for GitHub.com. +This action +* starts the `ssh-agent`, +* exports the `SSH_AUTH_SOCK` environment variable, and +* loads one or several private SSH key into the agent. It should work in all GitHub Actions virtual environments, including container-based workflows. From 9f6f312a31523794f99d8264ed8b069d8a395733 Mon Sep 17 00:00:00 2001 From: Felix Seifert Date: Tue, 6 Feb 2024 09:38:02 +0100 Subject: [PATCH 03/12] chore: update all versions of `actions/checkout` to v4 (#199) In this PR, I update the `actions/checkout` versions. When I recently started using this action, I was confused about whether it works with the newest checkout action. I tested it and everything is fine. For future users, we should display examples with the newest versions. --- .github/workflows/demo.yml | 4 ++-- README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml index 1cfd2a1..42a1e26 100644 --- a/.github/workflows/demo.yml +++ b/.github/workflows/demo.yml @@ -8,7 +8,7 @@ jobs: os: [ ubuntu-latest, macOS-latest, windows-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup key uses: ./ with: @@ -28,7 +28,7 @@ jobs: container: image: ubuntu:latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: apt update && apt install -y openssh-client git - name: Setup key uses: ./ diff --git a/README.md b/README.md index 253a405..cc19dbc 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ GitHub Actions only have access to the repository they run for. So, in order to * In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. * Put the contents of the *private* SSH key file into the contents field.
* This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. -5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line. +5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v4` line. ```yaml # .github/workflows/my-workflow.yml @@ -34,7 +34,7 @@ jobs: my_job: ... steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Make sure the @v0.8.0 matches the current version of the action - uses: webfactory/ssh-agent@v0.8.0 with: From 204eb35a4ecff7628304146c9d326f72b532fc1f Mon Sep 17 00:00:00 2001 From: Kevin Glavin Date: Tue, 6 Feb 2024 04:26:21 -0500 Subject: [PATCH 04/12] Bump to `node20` (#201) Fix for deprecated node16 Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: webfactory/ssh-agent@v0.8.0. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/ --- action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 4c54ef5..8f32cc8 100644 --- a/action.yml +++ b/action.yml @@ -20,10 +20,11 @@ inputs: description: 'git command' required: false runs: - using: 'node16' + using: 'node20' main: 'dist/index.js' post: 'dist/cleanup.js' post-if: 'always()' + branding: icon: loader color: 'yellow' From dc588b651fe13675774614f8e6a936a468676387 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Tue, 6 Feb 2024 10:28:20 +0100 Subject: [PATCH 05/12] Update version numbers in the README examples --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cc19dbc..3028201 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,8 @@ jobs: ... steps: - uses: actions/checkout@v4 - # Make sure the @v0.8.0 matches the current version of the action - - uses: webfactory/ssh-agent@v0.8.0 + # Make sure the @v0.9.0 matches the current version of the action + - uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} # ... other steps @@ -51,7 +51,7 @@ You can set up different keys as different secrets and pass them all to the acti ```yaml # ... contents as before - - uses: webfactory/ssh-agent@v0.8.0 + - uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: | ${{ secrets.FIRST_KEY }} From b504c19775343714e11b8c754e4fe1f02dc7b8e7 Mon Sep 17 00:00:00 2001 From: Jano Paetzold Date: Wed, 8 Jan 2025 17:52:14 +0100 Subject: [PATCH 06/12] Update CHANGELOG.md --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 811af67..572a902 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## v0.9.0 [2024-02-06] + +### Changed + +* Update all versions of `actions/checkout` to v4 (#199) +* Update to Node 20 (#201) + +## v0.8.0 [2023-03-24] + +### Changed + +* No longer writing GitHub's SSH host keys to `known_hosts` (#171) +* Update to actions/checkout@v3 (#143) +* Allow the user to override the commands for git, ssh-agent, and ssh-add (#154) + ## v0.7.0 [2022-10-19] ### Added From e3f1a8e046525bfed3725ef54a31ca91aed399f4 Mon Sep 17 00:00:00 2001 From: Jano Paetzold Date: Wed, 8 Jan 2025 17:59:51 +0100 Subject: [PATCH 07/12] Acknowledge custom command inputs in cleanup.js (#235) Refactored version of https://github.com/webfactory/ssh-agent/pull/183. Fixes: https://github.com/webfactory/ssh-agent/issues/208 --- CHANGELOG.md | 4 +++ cleanup.js | 1 - dist/cleanup.js | 72 +++++++++++++++++++++---------------------- dist/index.js | 81 +++++++++++++++++++++---------------------------- index.js | 10 +----- paths.js | 14 ++++++++- 6 files changed, 87 insertions(+), 95 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 572a902..2c733d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +* Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235) + ## v0.9.0 [2024-02-06] ### Changed diff --git a/cleanup.js b/cleanup.js index 6b7ab7d..71c657b 100644 --- a/cleanup.js +++ b/cleanup.js @@ -1,4 +1,3 @@ -const core = require('@actions/core'); const { execFileSync } = require('child_process'); const { sshAgentCmd } = require('./paths.js'); diff --git a/dist/cleanup.js b/dist/cleanup.js index 61fc276..7e478b7 100644 --- a/dist/cleanup.js +++ b/dist/cleanup.js @@ -292,14 +292,13 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; +exports.issueCommand = void 0; // We use any as a valid input type /* eslint-disable @typescript-eslint/no-explicit-any */ const fs = __importStar(__webpack_require__(747)); const os = __importStar(__webpack_require__(87)); -const uuid_1 = __webpack_require__(62); const utils_1 = __webpack_require__(82); -function issueFileCommand(command, message) { +function issueCommand(command, message) { const filePath = process.env[`GITHUB_${command}`]; if (!filePath) { throw new Error(`Unable to find environment variable for file command ${command}`); @@ -311,22 +310,7 @@ function issueFileCommand(command, message) { encoding: 'utf8' }); } -exports.issueFileCommand = issueFileCommand; -function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${uuid_1.v4()}`; - const convertedValue = utils_1.toCommandValue(value); - // These should realistically never happen, but just in case someone finds a - // way to exploit uuid generation let's not allow keys or values that contain - // the delimiter. - if (key.includes(delimiter)) { - throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); - } - if (convertedValue.includes(delimiter)) { - throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); - } - return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; -} -exports.prepareKeyValueMessage = prepareKeyValueMessage; +exports.issueCommand = issueCommand; //# sourceMappingURL=file-command.js.map /***/ }), @@ -613,7 +597,6 @@ exports.debug = debug; // for test /***/ 175: /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) { -const core = __webpack_require__(470); const { execFileSync } = __webpack_require__(129); const { sshAgentCmd } = __webpack_require__(972); @@ -1684,6 +1667,7 @@ const file_command_1 = __webpack_require__(102); const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); +const uuid_1 = __webpack_require__(62); const oidc_utils_1 = __webpack_require__(742); /** * The code to exit an action @@ -1713,9 +1697,20 @@ function exportVariable(name, val) { process.env[name] = convertedVal; const filePath = process.env['GITHUB_ENV'] || ''; if (filePath) { - return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); + const delimiter = `ghadelimiter_${uuid_1.v4()}`; + // These should realistically never happen, but just in case someone finds a way to exploit uuid generation let's not allow keys or values that contain the delimiter. + if (name.includes(delimiter)) { + throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); + } + if (convertedVal.includes(delimiter)) { + throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); + } + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); } - command_1.issueCommand('set-env', { name }, convertedVal); } exports.exportVariable = exportVariable; /** @@ -1733,7 +1728,7 @@ exports.setSecret = setSecret; function addPath(inputPath) { const filePath = process.env['GITHUB_PATH'] || ''; if (filePath) { - file_command_1.issueFileCommand('PATH', inputPath); + file_command_1.issueCommand('PATH', inputPath); } else { command_1.issueCommand('add-path', {}, inputPath); @@ -1773,10 +1768,7 @@ function getMultilineInput(name, options) { const inputs = getInput(name, options) .split('\n') .filter(x => x !== ''); - if (options && options.trimWhitespace === false) { - return inputs; - } - return inputs.map(input => input.trim()); + return inputs; } exports.getMultilineInput = getMultilineInput; /** @@ -1809,12 +1801,8 @@ exports.getBooleanInput = getBooleanInput; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function setOutput(name, value) { - const filePath = process.env['GITHUB_OUTPUT'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); - } process.stdout.write(os.EOL); - command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); + command_1.issueCommand('set-output', { name }, value); } exports.setOutput = setOutput; /** @@ -1943,11 +1931,7 @@ exports.group = group; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function saveState(name, value) { - const filePath = process.env['GITHUB_STATE'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); - } - command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); + command_1.issueCommand('save-state', { name }, value); } exports.saveState = saveState; /** @@ -2837,8 +2821,9 @@ exports.default = _default; /***/ (function(module, __unusedexports, __webpack_require__) { const os = __webpack_require__(87); +const core = __webpack_require__(470); -module.exports = (process.env['OS'] != 'Windows_NT') ? { +const defaults = (process.env['OS'] != 'Windows_NT') ? { // Use getent() system call, since this is what ssh does; makes a difference in Docker-based // Action runs, where $HOME is different from the pwent homePath: os.userInfo().homedir, @@ -2853,6 +2838,17 @@ module.exports = (process.env['OS'] != 'Windows_NT') ? { gitCmdDefault: 'c://progra~1//git//bin//git.exe' }; +const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); +const sshAddCmdInput = core.getInput('ssh-add-cmd'); +const gitCmdInput = core.getInput('git-cmd'); + +module.exports = { + homePath: defaults.homePath, + sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault, + sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault, + gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault, +}; + /***/ }) diff --git a/dist/index.js b/dist/index.js index 2c23f23..3f288c7 100644 --- a/dist/index.js +++ b/dist/index.js @@ -292,14 +292,13 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; +exports.issueCommand = void 0; // We use any as a valid input type /* eslint-disable @typescript-eslint/no-explicit-any */ const fs = __importStar(__webpack_require__(747)); const os = __importStar(__webpack_require__(87)); -const uuid_1 = __webpack_require__(62); const utils_1 = __webpack_require__(82); -function issueFileCommand(command, message) { +function issueCommand(command, message) { const filePath = process.env[`GITHUB_${command}`]; if (!filePath) { throw new Error(`Unable to find environment variable for file command ${command}`); @@ -311,22 +310,7 @@ function issueFileCommand(command, message) { encoding: 'utf8' }); } -exports.issueFileCommand = issueFileCommand; -function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${uuid_1.v4()}`; - const convertedValue = utils_1.toCommandValue(value); - // These should realistically never happen, but just in case someone finds a - // way to exploit uuid generation let's not allow keys or values that contain - // the delimiter. - if (key.includes(delimiter)) { - throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); - } - if (convertedValue.includes(delimiter)) { - throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); - } - return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; -} -exports.prepareKeyValueMessage = prepareKeyValueMessage; +exports.issueCommand = issueCommand; //# sourceMappingURL=file-command.js.map /***/ }), @@ -338,20 +322,12 @@ const core = __webpack_require__(470); const child_process = __webpack_require__(129); const fs = __webpack_require__(747); const crypto = __webpack_require__(417); -const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = __webpack_require__(972); +const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = __webpack_require__(972); try { const privateKey = core.getInput('ssh-private-key'); const logPublicKey = core.getBooleanInput('log-public-key', {default: true}); - const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); - const sshAddCmdInput = core.getInput('ssh-add-cmd'); - const gitCmdInput = core.getInput('git-cmd'); - - const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault; - const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault; - const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault; - if (!privateKey) { core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); @@ -1765,6 +1741,7 @@ const file_command_1 = __webpack_require__(102); const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); +const uuid_1 = __webpack_require__(62); const oidc_utils_1 = __webpack_require__(742); /** * The code to exit an action @@ -1794,9 +1771,20 @@ function exportVariable(name, val) { process.env[name] = convertedVal; const filePath = process.env['GITHUB_ENV'] || ''; if (filePath) { - return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); + const delimiter = `ghadelimiter_${uuid_1.v4()}`; + // These should realistically never happen, but just in case someone finds a way to exploit uuid generation let's not allow keys or values that contain the delimiter. + if (name.includes(delimiter)) { + throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); + } + if (convertedVal.includes(delimiter)) { + throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); + } + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); } - command_1.issueCommand('set-env', { name }, convertedVal); } exports.exportVariable = exportVariable; /** @@ -1814,7 +1802,7 @@ exports.setSecret = setSecret; function addPath(inputPath) { const filePath = process.env['GITHUB_PATH'] || ''; if (filePath) { - file_command_1.issueFileCommand('PATH', inputPath); + file_command_1.issueCommand('PATH', inputPath); } else { command_1.issueCommand('add-path', {}, inputPath); @@ -1854,10 +1842,7 @@ function getMultilineInput(name, options) { const inputs = getInput(name, options) .split('\n') .filter(x => x !== ''); - if (options && options.trimWhitespace === false) { - return inputs; - } - return inputs.map(input => input.trim()); + return inputs; } exports.getMultilineInput = getMultilineInput; /** @@ -1890,12 +1875,8 @@ exports.getBooleanInput = getBooleanInput; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function setOutput(name, value) { - const filePath = process.env['GITHUB_OUTPUT'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); - } process.stdout.write(os.EOL); - command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); + command_1.issueCommand('set-output', { name }, value); } exports.setOutput = setOutput; /** @@ -2024,11 +2005,7 @@ exports.group = group; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function saveState(name, value) { - const filePath = process.env['GITHUB_STATE'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); - } - command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); + command_1.issueCommand('save-state', { name }, value); } exports.saveState = saveState; /** @@ -2918,8 +2895,9 @@ exports.default = _default; /***/ (function(module, __unusedexports, __webpack_require__) { const os = __webpack_require__(87); +const core = __webpack_require__(470); -module.exports = (process.env['OS'] != 'Windows_NT') ? { +const defaults = (process.env['OS'] != 'Windows_NT') ? { // Use getent() system call, since this is what ssh does; makes a difference in Docker-based // Action runs, where $HOME is different from the pwent homePath: os.userInfo().homedir, @@ -2934,6 +2912,17 @@ module.exports = (process.env['OS'] != 'Windows_NT') ? { gitCmdDefault: 'c://progra~1//git//bin//git.exe' }; +const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); +const sshAddCmdInput = core.getInput('ssh-add-cmd'); +const gitCmdInput = core.getInput('git-cmd'); + +module.exports = { + homePath: defaults.homePath, + sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault, + sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault, + gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault, +}; + /***/ }) diff --git a/index.js b/index.js index 0c2e08b..d28a764 100644 --- a/index.js +++ b/index.js @@ -2,20 +2,12 @@ const core = require('@actions/core'); const child_process = require('child_process'); const fs = require('fs'); const crypto = require('crypto'); -const { homePath, sshAgentCmdDefault, sshAddCmdDefault, gitCmdDefault } = require('./paths.js'); +const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = require('./paths.js'); try { const privateKey = core.getInput('ssh-private-key'); const logPublicKey = core.getBooleanInput('log-public-key', {default: true}); - const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); - const sshAddCmdInput = core.getInput('ssh-add-cmd'); - const gitCmdInput = core.getInput('git-cmd'); - - const sshAgentCmd = sshAgentCmdInput ? sshAgentCmdInput : sshAgentCmdDefault; - const sshAddCmd = sshAddCmdInput ? sshAddCmdInput : sshAddCmdDefault; - const gitCmd = gitCmdInput ? gitCmdInput : gitCmdDefault; - if (!privateKey) { core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); diff --git a/paths.js b/paths.js index 1c6fbf0..bd4cd30 100644 --- a/paths.js +++ b/paths.js @@ -1,6 +1,7 @@ const os = require('os'); +const core = require('@actions/core'); -module.exports = (process.env['OS'] != 'Windows_NT') ? { +const defaults = (process.env['OS'] != 'Windows_NT') ? { // Use getent() system call, since this is what ssh does; makes a difference in Docker-based // Action runs, where $HOME is different from the pwent homePath: os.userInfo().homedir, @@ -14,3 +15,14 @@ module.exports = (process.env['OS'] != 'Windows_NT') ? { sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe', gitCmdDefault: 'c://progra~1//git//bin//git.exe' }; + +const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); +const sshAddCmdInput = core.getInput('ssh-add-cmd'); +const gitCmdInput = core.getInput('git-cmd'); + +module.exports = { + homePath: defaults.homePath, + sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault, + sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault, + gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault, +}; From 72c0bfd31ab22a2e11716951e3f107a9647dc97e Mon Sep 17 00:00:00 2001 From: Jano Paetzold Date: Wed, 8 Jan 2025 18:58:23 +0100 Subject: [PATCH 08/12] Improve documentation on why we use os.userInfo() (use correct syscall name) Co-authored-by: Matthias Pigulla --- paths.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/paths.js b/paths.js index bd4cd30..f440579 100644 --- a/paths.js +++ b/paths.js @@ -2,8 +2,9 @@ const os = require('os'); const core = require('@actions/core'); const defaults = (process.env['OS'] != 'Windows_NT') ? { - // Use getent() system call, since this is what ssh does; makes a difference in Docker-based - // Action runs, where $HOME is different from the pwent + // We use os.userInfo() rather than os.homedir(), since it uses the getpwuid() system call to get the user's home directory (see https://nodejs.org/api/os.html#osuserinfooptions). + // This mimics the way openssh derives the home directory for locating config files (see https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/ssh.c#L710); + // Makes a difference in Docker-based Action runs, when $HOME is different from what getpwuid() returns (which is based on the entry in /etc/passwd) homePath: os.userInfo().homedir, sshAgentCmdDefault: 'ssh-agent', sshAddCmdDefault: 'ssh-add', From a6f90b1f127823b31d4d4a8d96047790581349bd Mon Sep 17 00:00:00 2001 From: Jano Paetzold Date: Mon, 17 Mar 2025 15:05:58 +0100 Subject: [PATCH 09/12] Release v0.9.1 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c733d3..dc99093 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## v0.9.1 [2024-03-17] + ### Fixed * Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235) From 1903dde042a5db33d198a8e64eca5f0c78edaf0b Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Mon, 30 Jun 2025 21:05:36 +0200 Subject: [PATCH 10/12] Read out HOME instead of the os query info As when using the gitea-actions-runner on NixOS it is using systemd dynamic user --- dist/cleanup.js | 4 +--- dist/index.js | 4 +--- paths.js | 49 +++++++++++++++++++++++++------------------------ 3 files changed, 27 insertions(+), 30 deletions(-) diff --git a/dist/cleanup.js b/dist/cleanup.js index 7e478b7..18202e4 100644 --- a/dist/cleanup.js +++ b/dist/cleanup.js @@ -2824,9 +2824,7 @@ const os = __webpack_require__(87); const core = __webpack_require__(470); const defaults = (process.env['OS'] != 'Windows_NT') ? { - // Use getent() system call, since this is what ssh does; makes a difference in Docker-based - // Action runs, where $HOME is different from the pwent - homePath: os.userInfo().homedir, + homePath: os.homedir(), sshAgentCmdDefault: 'ssh-agent', sshAddCmdDefault: 'ssh-add', gitCmdDefault: 'git' diff --git a/dist/index.js b/dist/index.js index 3f288c7..5be2d35 100644 --- a/dist/index.js +++ b/dist/index.js @@ -2898,9 +2898,7 @@ const os = __webpack_require__(87); const core = __webpack_require__(470); const defaults = (process.env['OS'] != 'Windows_NT') ? { - // Use getent() system call, since this is what ssh does; makes a difference in Docker-based - // Action runs, where $HOME is different from the pwent - homePath: os.userInfo().homedir, + homePath: os.homedir(), sshAgentCmdDefault: 'ssh-agent', sshAddCmdDefault: 'ssh-add', gitCmdDefault: 'git' diff --git a/paths.js b/paths.js index f440579..7966262 100644 --- a/paths.js +++ b/paths.js @@ -1,29 +1,30 @@ -const os = require('os'); -const core = require('@actions/core'); +const os = require("os"); +const core = require("@actions/core"); -const defaults = (process.env['OS'] != 'Windows_NT') ? { - // We use os.userInfo() rather than os.homedir(), since it uses the getpwuid() system call to get the user's home directory (see https://nodejs.org/api/os.html#osuserinfooptions). - // This mimics the way openssh derives the home directory for locating config files (see https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/ssh.c#L710); - // Makes a difference in Docker-based Action runs, when $HOME is different from what getpwuid() returns (which is based on the entry in /etc/passwd) - homePath: os.userInfo().homedir, - sshAgentCmdDefault: 'ssh-agent', - sshAddCmdDefault: 'ssh-add', - gitCmdDefault: 'git' -} : { - // Assuming GitHub hosted `windows-*` runners for now - homePath: os.homedir(), - sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe', - sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe', - gitCmdDefault: 'c://progra~1//git//bin//git.exe' -}; +const defaults = + process.env["OS"] != "Windows_NT" + ? { + homePath: os.homedir(), + sshAgentCmdDefault: "ssh-agent", + sshAddCmdDefault: "ssh-add", + gitCmdDefault: "git", + } + : { + // Assuming GitHub hosted `windows-*` runners for now + homePath: os.homedir(), + sshAgentCmdDefault: "c://progra~1//git//usr//bin//ssh-agent.exe", + sshAddCmdDefault: "c://progra~1//git//usr//bin//ssh-add.exe", + gitCmdDefault: "c://progra~1//git//bin//git.exe", + }; -const sshAgentCmdInput = core.getInput('ssh-agent-cmd'); -const sshAddCmdInput = core.getInput('ssh-add-cmd'); -const gitCmdInput = core.getInput('git-cmd'); +const sshAgentCmdInput = core.getInput("ssh-agent-cmd"); +const sshAddCmdInput = core.getInput("ssh-add-cmd"); +const gitCmdInput = core.getInput("git-cmd"); module.exports = { - homePath: defaults.homePath, - sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault, - sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault, - gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault, + homePath: defaults.homePath, + sshAgentCmd: + sshAgentCmdInput !== "" ? sshAgentCmdInput : defaults.sshAgentCmdDefault, + sshAddCmd: sshAddCmdInput !== "" ? sshAddCmdInput : defaults.sshAddCmdDefault, + gitCmd: gitCmdInput !== "" ? gitCmdInput : defaults.gitCmdDefault, }; From 72dbd50b251dfb206c0154d4177f968a7fdca778 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Mon, 30 Jun 2025 21:15:54 +0200 Subject: [PATCH 11/12] Remove .github folder --- .github/workflows/demo.yml | 46 -------------------------------------- 1 file changed, 46 deletions(-) delete mode 100644 .github/workflows/demo.yml diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml deleted file mode 100644 index 42a1e26..0000000 --- a/.github/workflows/demo.yml +++ /dev/null @@ -1,46 +0,0 @@ -on: [ push, pull_request ] - -jobs: - deployment_keys_demo: - strategy: - fail-fast: false - matrix: - os: [ ubuntu-latest, macOS-latest, windows-latest ] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v4 - - name: Setup key - uses: ./ - with: - ssh-private-key: | - ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }} - ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }} - - run: | - git clone https://github.com/mpdude/test-1.git test-1-http - git clone git@github.com:mpdude/test-1.git test-1-git - git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh - git clone https://github.com/mpdude/test-2.git test-2-http - git clone git@github.com:mpdude/test-2.git test-2-git - git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh - - docker_demo: - runs-on: ubuntu-latest - container: - image: ubuntu:latest - steps: - - uses: actions/checkout@v4 - - run: apt update && apt install -y openssh-client git - - name: Setup key - uses: ./ - with: - ssh-private-key: | - ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }} - ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }} - - run: | - git clone https://github.com/mpdude/test-1.git test-1-http - git clone git@github.com:mpdude/test-1.git test-1-git - git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh - git clone https://github.com/mpdude/test-2.git test-2-http - git clone git@github.com:mpdude/test-2.git test-2-git - git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh - From e1c97d5d85b0188a6ac35e8c2e079a9f797cce14 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Mon, 30 Jun 2025 21:08:28 +0200 Subject: [PATCH 12/12] Release 0.9.2 --- CHANGELOG.md | 70 +++++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc99093..d66e0b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,133 +7,137 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## v0.9.2 [2025-06-30] (khs.codes) + +- Support running under NixOS with dynamic user setting, or at least attempt to + ## v0.9.1 [2024-03-17] ### Fixed -* Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235) +- Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235) ## v0.9.0 [2024-02-06] ### Changed -* Update all versions of `actions/checkout` to v4 (#199) -* Update to Node 20 (#201) +- Update all versions of `actions/checkout` to v4 (#199) +- Update to Node 20 (#201) ## v0.8.0 [2023-03-24] ### Changed -* No longer writing GitHub's SSH host keys to `known_hosts` (#171) -* Update to actions/checkout@v3 (#143) -* Allow the user to override the commands for git, ssh-agent, and ssh-add (#154) +- No longer writing GitHub's SSH host keys to `known_hosts` (#171) +- Update to actions/checkout@v3 (#143) +- Allow the user to override the commands for git, ssh-agent, and ssh-add (#154) ## v0.7.0 [2022-10-19] ### Added - * Add the `log-public-key` input that can be used to turn off logging key identities (#122) +- Add the `log-public-key` input that can be used to turn off logging key identities (#122) ### Fixed - * Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137) - * Fix a nonsensical log message (#139) +- Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137) +- Fix a nonsensical log message (#139) ## v0.6.0 [2022-10-19] ### Changed - * Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/). +- Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/). ## v0.5.4 [2021-11-21] ### Fixed - * Update changed GitHub Host Keys (#102, #101) +- Update changed GitHub Host Keys (#102, #101) ### Changed - * Various documentation (README) improvements and additions - * Change logging to more precisely state that _public_ keys are being printed +- Various documentation (README) improvements and additions +- Change logging to more precisely state that _public_ keys are being printed ## v0.5.3 [2021-06-11] ### Fixed - * Fixed cleanup phase to really terminate the ssh-agent (#80) - * Fix termination of ssh-agent also on workflow failure (#79) +- Fixed cleanup phase to really terminate the ssh-agent (#80) +- Fix termination of ssh-agent also on workflow failure (#79) ### Changed - * Various documentation (README) improvements and additions +- Various documentation (README) improvements and additions ## v0.5.2 [2021-04-07] ### Fixed - * Use case-insensitive regex matching when scanning key comments (#68, #70, #71) +- Use case-insensitive regex matching when scanning key comments (#68, #70, #71) ### Changed - * Log when a key is _not_ used as a deploy key (#69) +- Log when a key is _not_ used as a deploy key (#69) ## v0.5.1 [2021-03-10] ### Fixed - * Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git - suite, terminate ssh-agent upon actio termination on Windows as well (#63) - * Handle ENOENT exceptions with a graceful message +- Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git + suite, terminate ssh-agent upon actio termination on Windows as well (#63) +- Handle ENOENT exceptions with a graceful message ### Changed - * Various documentation (README) improvements and additions +- Various documentation (README) improvements and additions ## v0.5.0 [2021-02-19] ### Added - * Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38. - * Support for container-based workflows and Windows (#17) +- Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38. +- Support for container-based workflows and Windows (#17) ### Fixed - * Fix scripts/build.js to work on Windows (#38) +- Fix scripts/build.js to work on Windows (#38) ### Changed - * Various documentation (README) improvements and additions +- Various documentation (README) improvements and additions ## v0.4.1 [2020-10-07] ### Fixed -* This action no longer relies on `set-env`, which has been deprecated. +- This action no longer relies on `set-env`, which has been deprecated. ## v0.4.0 ### Changed -* A failure to kill the agent in the post-action step will no longer fail the workflow run. That way, you can kill the agent yourself when necessary (#33). +- A failure to kill the agent in the post-action step will no longer fail the workflow run. That way, you can kill the agent yourself when necessary (#33). ## v0.3.0 [2020-05-18] -### Added +### Added -* A new post-action step will automatically clean up the running agent at the end of a job. This helps with self-hosted runners, which are non-ephemeral. (@thommyhh, #27) +- A new post-action step will automatically clean up the running agent at the end of a job. This helps with self-hosted runners, which are non-ephemeral. (@thommyhh, #27) ### Changed -* Unless the SSH_AUTH_SOCK is configured explicitly, the SSH agent will now use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on self-hosted runners. (@thommyhh, #27) +- Unless the SSH_AUTH_SOCK is configured explicitly, the SSH agent will now use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on self-hosted runners. (@thommyhh, #27) ## v0.2.0 [2020-01-14] ### Added -* Multiple SSH keys can now be provided (#14, closes #7). Thanks to +- Multiple SSH keys can now be provided (#14, closes #7). Thanks to @webknjaz and @bradmartin for support and tests. -* Catch empty ssh-private-key input values and exit with a helpful +- Catch empty ssh-private-key input values and exit with a helpful error message right away. ## v0.1.0 [2019-09-15]