Release 0.9.2

As when using the gitea-actions-runner on NixOS
it is using systemd dynamic user

.github/workflows/demo.yml

@@ -1,46 +0,0 @@
-on: [ push, pull_request ]
-
-jobs:
-    deployment_keys_demo:
-        strategy:
-            fail-fast: false
-            matrix:
-                os: [ ubuntu-latest, macOS-latest, windows-latest ]
-        runs-on: ${{ matrix.os }}
-        steps:
-            -   uses: actions/checkout@v2
-            -   name: Setup key
-                uses: ./
-                with:
-                    ssh-private-key: |
-                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
-                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
-            -   run: |
-                    git clone https://github.com/mpdude/test-1.git test-1-http
-                    git clone git@github.com:mpdude/test-1.git test-1-git
-                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
-                    git clone https://github.com/mpdude/test-2.git test-2-http
-                    git clone git@github.com:mpdude/test-2.git test-2-git
-                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
-
-    docker_demo:
-        runs-on: ubuntu-latest
-        container:
-            image: ubuntu:latest
-        steps:
-            -   uses: actions/checkout@v2
-            -   run: apt update && apt install -y openssh-client git
-            -   name: Setup key
-                uses: ./
-                with:
-                    ssh-private-key: |
-                        ${{ secrets.MPDUDE_TEST_1_DEPLOY_KEY }}
-                        ${{ secrets.MPDUDE_TEST_2_DEPLOY_KEY }}
-            -   run: |
-                    git clone https://github.com/mpdude/test-1.git test-1-http
-                    git clone git@github.com:mpdude/test-1.git test-1-git
-                    git clone ssh://git@github.com/mpdude/test-1.git test-1-git-ssh
-                    git clone https://github.com/mpdude/test-2.git test-2-http
-                    git clone git@github.com:mpdude/test-2.git test-2-git
-                    git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh
-

CHANGELOG.md

@@ -7,101 +7,137 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v0.9.2 [2025-06-30] (khs.codes)
+
+- Support running under NixOS with dynamic user setting, or at least attempt to
+
+## v0.9.1 [2024-03-17]
+
+### Fixed
+
+- Fix path used to execute ssh-agent in cleanup.js to respect custom paths set by input (#235)
+
+## v0.9.0 [2024-02-06]
+
+### Changed
+
+- Update all versions of `actions/checkout` to v4 (#199)
+- Update to Node 20 (#201)
+
+## v0.8.0 [2023-03-24]
+
+### Changed
+
+- No longer writing GitHub's SSH host keys to `known_hosts` (#171)
+- Update to actions/checkout@v3 (#143)
+- Allow the user to override the commands for git, ssh-agent, and ssh-add (#154)
+
+## v0.7.0 [2022-10-19]
+
+### Added
+
+- Add the `log-public-key` input that can be used to turn off logging key identities (#122)
+
+### Fixed
+
+- Fix path to `git` binary on Windows, assuming GitHub-hosted runners (#136, #137)
+- Fix a nonsensical log message (#139)
+
 ## v0.6.0 [2022-10-19]
 
 ### Changed
 
- * Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
+- Update the version of Node used by the action from 12 to 16 (https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/).
 
 ## v0.5.4 [2021-11-21]
 
 ### Fixed
 
- * Update changed GitHub Host Keys (#102, #101)
+- Update changed GitHub Host Keys (#102, #101)
 
 ### Changed
 
- * Various documentation (README) improvements and additions
- * Change logging to more precisely state that _public_ keys are being printed
+- Various documentation (README) improvements and additions
+- Change logging to more precisely state that _public_ keys are being printed
 
 ## v0.5.3 [2021-06-11]
 
 ### Fixed
 
- * Fixed cleanup phase to really terminate the ssh-agent (#80)
- * Fix termination of ssh-agent also on workflow faiulre (#79)
+- Fixed cleanup phase to really terminate the ssh-agent (#80)
+- Fix termination of ssh-agent also on workflow failure (#79)
 
 ### Changed
 
- * Various documentation (README) improvements and additions
+- Various documentation (README) improvements and additions
 
 ## v0.5.2 [2021-04-07]
 
 ### Fixed
 
- * Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
+- Use case-insensitive regex matching when scanning key comments (#68, #70, #71)
 
 ### Changed
 
- * Log when a key is _not_ used as a deploy key (#69)
+- Log when a key is _not_ used as a deploy key (#69)
 
 ## v0.5.1 [2021-03-10]
 
 ### Fixed
 
- * Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
+- Fix deployment key mapping on Windows virtual environment by using SSH binaries from the Git
   suite, terminate ssh-agent upon actio termination on Windows as well (#63)
- * Handle ENOENT exceptions with a graceful message
+- Handle ENOENT exceptions with a graceful message
 
 ### Changed
 
- * Various documentation (README) improvements and additions
+- Various documentation (README) improvements and additions
 
 ## v0.5.0 [2021-02-19]
 
 ### Added
 
- * Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
- * Support for container-based workflows and Windows (#17)
+- Add support for GitHub Deployment Keys through key comments (#59). Fixes #30, closes #38.
+- Support for container-based workflows and Windows (#17)
 
 ### Fixed
 
- * Fix scripts/build.js to work on Windows (#38)
+- Fix scripts/build.js to work on Windows (#38)
 
 ### Changed
 
- * Various documentation (README) improvements and additions
+- Various documentation (README) improvements and additions
 
 ## v0.4.1 [2020-10-07]
 
 ### Fixed
 
-* This action no longer relies on `set-env`, which has been deprecated.
+- This action no longer relies on `set-env`, which has been deprecated.
 
 ## v0.4.0
 
 ### Changed
 
-* A failure to kill the agent in the post-action step will no longer fail the workflow run. That way, you can kill the agent yourself when necessary (#33).
+- A failure to kill the agent in the post-action step will no longer fail the workflow run. That way, you can kill the agent yourself when necessary (#33).
 
 ## v0.3.0 [2020-05-18]
 
 ### Added
 
-* A new post-action step will automatically clean up the running agent at the end of a job. This helps with self-hosted runners, which are non-ephemeral. (@thommyhh, #27)
+- A new post-action step will automatically clean up the running agent at the end of a job. This helps with self-hosted runners, which are non-ephemeral. (@thommyhh, #27)
 
 ### Changed
 
-* Unless the SSH_AUTH_SOCK is configured explicitly, the SSH agent will now use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on self-hosted runners. (@thommyhh, #27)
+- Unless the SSH_AUTH_SOCK is configured explicitly, the SSH agent will now use a random file name for the socket. That way, multiple, concurrent SSH agents can be used on self-hosted runners. (@thommyhh, #27)
 
 ## v0.2.0 [2020-01-14]
 
 ### Added
 
-* Multiple SSH keys can now be provided (#14, closes #7). Thanks to
+- Multiple SSH keys can now be provided (#14, closes #7). Thanks to
   @webknjaz and @bradmartin for support and tests.
 
-* Catch empty ssh-private-key input values and exit with a helpful
+- Catch empty ssh-private-key input values and exit with a helpful
   error message right away.
 
 ## v0.1.0 [2019-09-15]

README.md

@@ -2,9 +2,8 @@
 
 This action
 * starts the `ssh-agent`,
-* exports the `SSH_AUTH_SOCK` environment variable, 
-* loads one or several private SSH key into the agent and
-* configures `known_hosts` for GitHub.com.
+* exports the `SSH_AUTH_SOCK` environment variable, and
+* loads one or several private SSH key into the agent.
 
 It should work in all GitHub Actions virtual environments, including container-based workflows. 
 
@@ -27,7 +26,7 @@ GitHub Actions only have access to the repository they run for. So, in order to
     * In your repository, go to the *Settings > Secrets* menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. 
     * Put the contents of the *private* SSH key file into the contents field. <br>
     * This key should start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`. 
-5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v2` line.
+5. In your workflow definition file, add the following step. Preferably this would be rather on top, near the `actions/checkout@v4` line.
 
 ```yaml
 # .github/workflows/my-workflow.yml
@@ -35,13 +34,12 @@ jobs:
     my_job:
         ...
         steps:
-            - actions/checkout@v2
-            # Make sure the @v0.6.0 matches the current version of the
-            # action 
-            - uses: webfactory/ssh-agent@v0.6.0
+            - uses: actions/checkout@v4
+            # Make sure the @v0.9.0 matches the current version of the action
+            - uses: webfactory/ssh-agent@v0.9.0
               with:
                   ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
-            - ... other steps
+            # ... other steps
 ```
 5. If, for some reason, you need to change the location of the SSH agent socket, you can use the `ssh-auth-sock` input to provide a path.
 
@@ -52,8 +50,8 @@ There are cases where you might need to use multiple keys. For example, "[deploy
 You can set up different keys as different secrets and pass them all to the action like so:
 
 ```yaml
-# ... contens as before
-            - uses: webfactory/ssh-agent@v0.6.0
+# ... contents as before
+            - uses: webfactory/ssh-agent@v0.9.0
               with:
                   ssh-private-key: |
                         ${{ secrets.FIRST_KEY }}
@@ -76,7 +74,19 @@ To support picking the right key in this use case, this action scans _key commen
 3. For key comments containing such URLs, a Git config setting is written that uses [`url.<base>.insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`.
 4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
 
+## Action Inputs
+
+The following inputs can be used to control the action's behavior:
+
+* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets.
+* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable.
+* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default.
+* `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary.
+* `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary.
+* `git-cmd`: Optional. Use this to specify a custom location for the `git` binary.
+
 ## Exported variables
+
 The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module.
 The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent.
 The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action.
@@ -101,11 +111,13 @@ If you know that your favorite tool or platform of choice requires extra tweaks
 
 If you are using this action on container-based workflows, make sure the container has the necessary SSH binaries or package(s) installed.
 
-### Using the `docker/build-push-action` Action
+### Building Docker Images and/or Using the `docker/build-push-action` Action
 
-If you are using the `docker/build-push-action`, and would like to pass the SSH key, you can do so by adding the following config to pass the socket file through:
+When you are building Docker images with `docker build` or `docker compose build` and need to provide the SSH keys to the build, don't forget to pass `--ssh default=${{ env.SSH_AUTH_SOCK }}` on the command line to pass the SSH agent socket through. See the [Docker documentation](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) for more information on this option.
 
-```
+If you are using the `docker/build-push-action`, you can do so by adding the following config.
+
+```yml
       - name: Build and push
         id: docker_build
         uses: docker/build-push-action@v2
@@ -114,6 +126,46 @@ If you are using the `docker/build-push-action`, and would like to pass the SSH
             default=${{ env.SSH_AUTH_SOCK }}
 ```
 
+Make sure not to miss the next section, though.
+
+### Using Multiple Deploy Keys Inside Docker Builds
+
+When you pass the SSH agent socket to the Docker build environment _and_ want to use multiple GitHub deploy keys, you need to copy the Git and SSH configuration files to the build environment as well. This is necessary _in addition to_ forwarding the SSH agent socket into the build process. The config files are required so that Git can pick the right one from your deployment keys.
+
+This requires an additional step in the workflow file **after** the `ssh-agent` step and **before** the Docker build step.  You also need two additional lines in the `Dockerfile` to actually copy the configs.
+
+The following example will: 
+* collect the necessary Git and SSH configuration files in a directory that must be part of the Docker build context so that... 
+* ... the files can be copied into the Docker image (or an intermediate build stage).
+
+Workflow:
+
+```yml
+      - name: ssh-agent setup
+        ...
+
+      - name: Collect Git and SSH config files in a directory that is part of the Docker build context
+        run: |
+          mkdir root-config
+          cp -r ~/.gitconfig  ~/.ssh root-config/
+  
+      - name: Docker build 
+        # build-push-action | docker [compose] build | etc.
+        ...
+```
+
+Dockerfile:
+
+```Dockerfile
+# Copy the two files in place and fix different path/locations inside the Docker image
+COPY root-config /root/
+RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
+```
+
+Keep in mind that the resulting Docker image now might contain these customized Git and SSH configuration files! Your private SSH keys are never written to files anywhere, just loaded into the SSH agent and forwarded into the container. The config files might, however, give away details about your build or development process and contain the names and URLs of your (private) repositories. You might want to use a multi-staged build to make sure these files do not end up in the final image.
+
+If you still get the error message: `fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.`, you most likely forgot one of the steps above.
+
 ### Cargo's (Rust) Private Dependencies on Windows
 
 If you are using private repositories in your dependencies like this:
@@ -219,4 +271,4 @@ developer looking for new challenges, we'd like to hear from you!
 - <https://www.webfactory.de>
 - <https://twitter.com/webfactory>
 
-Copyright 2019 – 2022 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).
+Copyright 2019 – 2023 webfactory GmbH, Bonn. Code released under [the MIT license](LICENSE).

action.yml

@@ -6,11 +6,25 @@ inputs:
         required: true
     ssh-auth-sock:
         description: 'Where to place the SSH Agent auth socket'
+    log-public-key:
+        description: 'Whether or not to log public key fingerprints'
+        required: false
+        default: true
+    ssh-agent-cmd:
+        description: 'ssh-agent command'
+        required: false
+    ssh-add-cmd:
+        description: 'ssh-add command'
+        required: false
+    git-cmd:
+        description: 'git command'
+        required: false
 runs:
-    using: 'node16'
+    using: 'node20'
     main: 'dist/index.js'
     post: 'dist/cleanup.js'
     post-if: 'always()'
+
 branding:
     icon: loader
     color: 'yellow'

cleanup.js

@@ -1,11 +1,10 @@
-const core = require('@actions/core');
 const { execFileSync } = require('child_process');
-const { sshAgent } = require('./paths.js');
+const { sshAgentCmd } = require('./paths.js');
 
 try {
     // Kill the started SSH agent
     console.log('Stopping SSH agent');
-    execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
+    execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
 } catch (error) {
     console.log(error.message);
     console.log('Error stopping the SSH agent, proceeding anyway');

dist/cleanup.js

@@ -597,14 +597,13 @@ exports.debug = debug; // for test
 /***/ 175:
 /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
 
-const core = __webpack_require__(470);
 const { execFileSync } = __webpack_require__(129);
-const { sshAgent } = __webpack_require__(972);
+const { sshAgentCmd } = __webpack_require__(972);
 
 try {
     // Kill the started SSH agent
     console.log('Stopping SSH agent');
-    execFileSync(sshAgent, ['-k'], { stdio: 'inherit' });
+    execFileSync(sshAgentCmd, ['-k'], { stdio: 'inherit' });
 } catch (error) {
     console.log(error.message);
     console.log('Error stopping the SSH agent, proceeding anyway');
@@ -2822,23 +2821,31 @@ exports.default = _default;
 /***/ (function(module, __unusedexports, __webpack_require__) {
 
 const os = __webpack_require__(87);
+const core = __webpack_require__(470);
 
-module.exports = (process.env['OS'] != 'Windows_NT') ? {
-
-    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
-    // Action runs, where $HOME is different from the pwent
-    home: os.userInfo().homedir,
-    sshAgent: 'ssh-agent',
-    sshAdd: 'ssh-add'
-
+const defaults = (process.env['OS'] != 'Windows_NT') ? {
+    homePath: os.homedir(),
+    sshAgentCmdDefault: 'ssh-agent',
+    sshAddCmdDefault: 'ssh-add',
+    gitCmdDefault: 'git'
 } : {
-
-    home: os.homedir(),
-    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
-    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
-
+    // Assuming GitHub hosted `windows-*` runners for now
+    homePath: os.homedir(),
+    sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
+    sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
+    gitCmdDefault: 'c://progra~1//git//bin//git.exe'
 };
 
+const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
+const sshAddCmdInput = core.getInput('ssh-add-cmd');
+const gitCmdInput = core.getInput('git-cmd');
+
+module.exports = {
+    homePath: defaults.homePath,
+    sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
+    sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault,
+    gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault,
+};
 
 
 /***/ })

dist/index.js

@@ -322,10 +322,11 @@ const core = __webpack_require__(470);
 const child_process = __webpack_require__(129);
 const fs = __webpack_require__(747);
 const crypto = __webpack_require__(417);
-const { home, sshAgent, sshAdd } = __webpack_require__(972);
+const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = __webpack_require__(972);
 
 try {
     const privateKey = core.getInput('ssh-private-key');
+    const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
 
     if (!privateKey) {
         core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@@ -333,14 +334,8 @@ try {
         return;
     }
 
-    const homeSsh = home + '/.ssh';
-
-    console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
-
+    const homeSsh = homePath + '/.ssh';
     fs.mkdirSync(homeSsh, { recursive: true });
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
 
     console.log("Starting ssh-agent");
 
@@ -348,7 +343,7 @@ try {
     const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
 
     // Extract auth socket path and agent pid and set them as job variables
-    child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
+    child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
         const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
 
         if (matches && matches.length > 0) {
@@ -361,21 +356,22 @@ try {
     console.log("Adding private key(s) to agent");
 
     privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
-        child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
+        child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
     });
 
     console.log("Key(s) added:");
 
-    child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
+    child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
 
     console.log('Configuring deployment key(s)');
 
-    child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
+    child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
         const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
 
         if (!parts) {
+            if (logPublicKey) {
               console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
-
+            }
             return;
         }
 
@@ -384,9 +380,9 @@ try {
 
         fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
 
-        child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
-        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
-        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
 
         const sshConfig = `\nHost key-${sha256}.github.com\n`
                               + `    HostName github.com\n`
@@ -2899,23 +2895,31 @@ exports.default = _default;
 /***/ (function(module, __unusedexports, __webpack_require__) {
 
 const os = __webpack_require__(87);
+const core = __webpack_require__(470);
 
-module.exports = (process.env['OS'] != 'Windows_NT') ? {
-
-    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
-    // Action runs, where $HOME is different from the pwent
-    home: os.userInfo().homedir,
-    sshAgent: 'ssh-agent',
-    sshAdd: 'ssh-add'
-
+const defaults = (process.env['OS'] != 'Windows_NT') ? {
+    homePath: os.homedir(),
+    sshAgentCmdDefault: 'ssh-agent',
+    sshAddCmdDefault: 'ssh-add',
+    gitCmdDefault: 'git'
 } : {
-
-    home: os.homedir(),
-    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
-    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
-
+    // Assuming GitHub hosted `windows-*` runners for now
+    homePath: os.homedir(),
+    sshAgentCmdDefault: 'c://progra~1//git//usr//bin//ssh-agent.exe',
+    sshAddCmdDefault: 'c://progra~1//git//usr//bin//ssh-add.exe',
+    gitCmdDefault: 'c://progra~1//git//bin//git.exe'
 };
 
+const sshAgentCmdInput = core.getInput('ssh-agent-cmd');
+const sshAddCmdInput = core.getInput('ssh-add-cmd');
+const gitCmdInput = core.getInput('git-cmd');
+
+module.exports = {
+    homePath: defaults.homePath,
+    sshAgentCmd: sshAgentCmdInput !== '' ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
+    sshAddCmd: sshAddCmdInput !== '' ? sshAddCmdInput : defaults.sshAddCmdDefault,
+    gitCmd: gitCmdInput !== '' ? gitCmdInput : defaults.gitCmdDefault,
+};
 
 
 /***/ })

index.js

@@ -2,10 +2,11 @@ const core = require('@actions/core');
 const child_process = require('child_process');
 const fs = require('fs');
 const crypto = require('crypto');
-const { home, sshAgent, sshAdd } = require('./paths.js');
+const { homePath, sshAgentCmd, sshAddCmd, gitCmd } = require('./paths.js');
 
 try {
     const privateKey = core.getInput('ssh-private-key');
+    const logPublicKey = core.getBooleanInput('log-public-key', {default: true});
 
     if (!privateKey) {
         core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.");
@@ -13,14 +14,8 @@ try {
         return;
     }
 
-    const homeSsh = home + '/.ssh';
-
-    console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`);
-
+    const homeSsh = homePath + '/.ssh';
     fs.mkdirSync(homeSsh, { recursive: true });
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\n');
-    fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n');
 
     console.log("Starting ssh-agent");
 
@@ -28,7 +23,7 @@ try {
     const sshAgentArgs = (authSock && authSock.length > 0) ? ['-a', authSock] : [];
 
     // Extract auth socket path and agent pid and set them as job variables
-    child_process.execFileSync(sshAgent, sshAgentArgs).toString().split("\n").forEach(function(line) {
+    child_process.execFileSync(sshAgentCmd, sshAgentArgs).toString().split("\n").forEach(function(line) {
         const matches = /^(SSH_AUTH_SOCK|SSH_AGENT_PID)=(.*); export \1/.exec(line);
 
         if (matches && matches.length > 0) {
@@ -41,21 +36,22 @@ try {
     console.log("Adding private key(s) to agent");
 
     privateKey.split(/(?=-----BEGIN)/).forEach(function(key) {
-        child_process.execFileSync(sshAdd, ['-'], { input: key.trim() + "\n" });
+        child_process.execFileSync(sshAddCmd, ['-'], { input: key.trim() + "\n" });
     });
 
     console.log("Key(s) added:");
 
-    child_process.execFileSync(sshAdd, ['-l'], { stdio: 'inherit' });
+    child_process.execFileSync(sshAddCmd, ['-l'], { stdio: 'inherit' });
 
     console.log('Configuring deployment key(s)');
 
-    child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) {
+    child_process.execFileSync(sshAddCmd, ['-L']).toString().trim().split(/\r?\n/).forEach(function(key) {
         const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i);
 
         if (!parts) {
+            if (logPublicKey) {
               console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`);
-
+            }
             return;
         }
 
@@ -64,9 +60,9 @@ try {
 
         fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });
 
-        child_process.execSync(`git config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
-        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
-        child_process.execSync(`git config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
+        child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
 
         const sshConfig = `\nHost key-${sha256}.github.com\n`
                               + `    HostName github.com\n`

package.json

@@ -2,7 +2,7 @@
     "name": "webfactory-action-ssh-agent",
     "repository": "git@github.com:webfactory/ssh-agent.git",
     "description": "GitHub Action to set up ssh-agent with a private SSH key",
-    "version": "0.6.0",
+    "version": "0.7.0",
     "main": "index.js",
     "author": "webfactory GmbH <info@webfactory.de>",
     "license": "MIT",

paths.js

@@ -1,18 +1,30 @@
-const os = require('os');
-
-module.exports = (process.env['OS'] != 'Windows_NT') ? {
-
-    // Use getent() system call, since this is what ssh does; makes a difference in Docker-based
-    // Action runs, where $HOME is different from the pwent
-    home: os.userInfo().homedir,
-    sshAgent: 'ssh-agent',
-    sshAdd: 'ssh-add'
-
-} : {
-
-    home: os.homedir(),
-    sshAgent: 'c://progra~1//git//usr//bin//ssh-agent.exe',
-    sshAdd: 'c://progra~1//git//usr//bin//ssh-add.exe'
+const os = require("os");
+const core = require("@actions/core");
 
+const defaults =
+  process.env["OS"] != "Windows_NT"
+    ? {
+        homePath: os.homedir(),
+        sshAgentCmdDefault: "ssh-agent",
+        sshAddCmdDefault: "ssh-add",
+        gitCmdDefault: "git",
+      }
+    : {
+        // Assuming GitHub hosted `windows-*` runners for now
+        homePath: os.homedir(),
+        sshAgentCmdDefault: "c://progra~1//git//usr//bin//ssh-agent.exe",
+        sshAddCmdDefault: "c://progra~1//git//usr//bin//ssh-add.exe",
+        gitCmdDefault: "c://progra~1//git//bin//git.exe",
       };
 
+const sshAgentCmdInput = core.getInput("ssh-agent-cmd");
+const sshAddCmdInput = core.getInput("ssh-add-cmd");
+const gitCmdInput = core.getInput("git-cmd");
+
+module.exports = {
+  homePath: defaults.homePath,
+  sshAgentCmd:
+    sshAgentCmdInput !== "" ? sshAgentCmdInput : defaults.sshAgentCmdDefault,
+  sshAddCmd: sshAddCmdInput !== "" ? sshAddCmdInput : defaults.sshAddCmdDefault,
+  gitCmd: gitCmdInput !== "" ? gitCmdInput : defaults.gitCmdDefault,
+};