kid*_*rom 5 ssh github-actions
我的目标是将带有密码的私钥存储在 GitHub 机密中,但我不知道如何通过 GitHub 操作输入密码。
我尝试过的:
.github/workflows/docker-build.yml
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ master ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Runs a set of commands using the runners shell
- name: Run a multi-line script
run: |
eval $(ssh-agent -s)
echo "${{ secrets.SSH_PRIVATE_KEY }}" | ssh-add -
ssh -o StrictHostKeyChecking=no root@${{ secrets.HOSTNAME }} "rm -rf be-bankaccount; git clone https://github.com/kidfrom/be-bankaccount.git; cd be-bankaccount; docker build -t be-bankaccount .; docker-compose up -d;"
我终于弄清楚了这一点,因为我不想麻烦地使用无密码的授权密钥更新所有服务器。讽刺的是,我可能花了更长的时间才做到这一点,但现在我可以节省您的时间。
这两个神奇的成分是:使用SSH_AUTH_SOCK在 GH 操作步骤之间共享以及使用ssh-addwithDISPLAY=None并SSH_ASKPASS设置为通过标准输入发送密码的可执行脚本。
具体来说,对于您的问题,您不需要,因为SSH_AUTH_SOCK您的所有命令都在单个作业步骤中运行。但是,对于更复杂的工作流程,您需要对其进行设置。
这是一个示例工作流程:
name: ssh with passphrase example
env:
# Use the same ssh-agent socket value across all jobs
# Useful when a GH action is using SSH behind-the-scenes
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
jobs:
job1:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Start ssh-agent but set it to use the same ssh_auth_sock value.
# The agent will be running in all steps after this, so it
# should be one of the first.
- name: Setup SSH passphrase
env:
SSH_PASSPHRASE: ${{secrets.SSH_PASSPHRASE}}
SSH_PRIVATE_KEY: ${{secrets.SSH_PRIVATE_KEY}}
run: |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo 'echo $SSH_PASSPHRASE' > ~/.ssh_askpass && chmod +x ~/.ssh_askpass
echo "$SSH_PRIVATE_KEY" | tr -d '\r' | DISPLAY=None SSH_ASKPASS=~/.ssh_askpass ssh-add - >/dev/null
# Debug print out the added identities. This will prove SSH_AUTH_SOCK
# is persisted across job steps
- name: Print ssh-add identities
runs: ssh-add -l
job2:
# NOTE: SSH_AUTH_SOCK will be set, but the agent itself is not
# shared across jobs, each job is a new container sandbox
# so you still need to setup the passphrase again
steps: ...
我参考的资源:
您可以尝试使用,它来自Matthias Pigulla在“使用 GitHub Actions 中的 SSH 部署密钥访问私有存储库”actions/webfactory-ssh-agent中所做的研究
GitHub Actions 只能访问它们运行的存储库。因此,为了访问其他私有存储库,请创建具有足够访问权限的 SSH 密钥。
然后,使用此操作使密钥可用于操作工作节点上的 ssh-agent。设置完成后,使用 ssh URL 的 git clone 命令将正常工作。
# .github/workflows/my-workflow.yml
jobs:
my_job:
...
steps:
- actions/checkout@v1
# Make sure the @v0.4.1 matches the current version of the
# action
- uses: webfactory/ssh-agent@v0.4.1
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- ... other steps
| 归档时间: |
|
| 查看次数: |
5019 次 |
| 最近记录: |