Skip to content

Commit c2ca7a2

Browse files
committed
feat: add action to setup ssh to discovery
1 parent f60ad6b commit c2ca7a2

2 files changed

Lines changed: 88 additions & 0 deletions

File tree

setup-discovery-ssh/action.yaml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: "Setup SSH to Discovery"
2+
description: "Configure SSH access to the discovery host and fetch build instructions (derivaitons)."
3+
author: "The Standard Authors"
4+
5+
inputs:
6+
ssh_key:
7+
required: true
8+
description: |
9+
The private SSH key used to authenticate with the Discovery host.
10+
11+
You should not add your private key directly to the workflow file but
12+
instead define a GitHub Secret for it, to avoid mistakenly sharing your
13+
key with others.
14+
15+
It is advisable to create a new SSH key specifically for use within GitHub
16+
(or even per repository or workflow). That way you can revoke access to
17+
your Discovery host in a fine-grained fashion.
18+
19+
user_name:
20+
required: true
21+
description: |
22+
The user name to connect with.
23+
24+
ssh_known_hosts_entry:
25+
required: true
26+
description: |
27+
The known host entry to use for the Discovery host.
28+
29+
runs:
30+
using: "composite"
31+
steps:
32+
- name: Set up SSH access to the Discovery host
33+
id: setup
34+
run: ${{ github.action_path }}/setup.sh
35+
shell: bash
36+
env:
37+
DISCOVERY_USER_NAME: ${{ inputs.user_name }}
38+
DISCOVERY_SSH_KNOWN_HOSTS_ENTRY: ${{ inputs.ssh_known_hosts_entry }}
39+
DISCOVERY_SSH_KEY: ${{ inputs.ssh_key }}

setup-discovery-ssh/setup.sh

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
#!/usr/bin/env bash
2+
3+
set -eu
4+
set -o pipefail
5+
6+
# Setup known_hosts
7+
SSH_KNOWN_HOSTS_FILE="$(mktemp)"
8+
printenv DISCOVERY_SSH_KNOWN_HOSTS_ENTRY > "$SSH_KNOWN_HOSTS_FILE"
9+
10+
host_name="$(echo "$DISCOVERY_SSH_KNOWN_HOSTS_ENTRY" | cut -d ' ' -f 1)"
11+
12+
# Create ssh config
13+
SSH_CONFIG_FILE="$(mktemp)"
14+
cat >"$SSH_CONFIG_FILE" <<EOF
15+
Host discovery
16+
HostName $host_name
17+
User $DISCOVERY_USER_NAME
18+
LogLevel ERROR
19+
StrictHostKeyChecking yes
20+
UserKnownHostsFile $SSH_KNOWN_HOSTS_FILE
21+
ControlPath none
22+
EOF
23+
24+
# Setup auth
25+
ssh_key_file="$(mktemp)"
26+
printenv DISCOVERY_SSH_KEY > "$ssh_key_file"
27+
if ssh-keygen -y -f "$ssh_key_file" &>/dev/null; then
28+
# Start ssh agent
29+
eval $(ssh-agent)
30+
# Add ssh key to agent
31+
ssh-add -q "$ssh_key_file" && rm "$ssh_key_file"
32+
# Auth agent socket to ssh config
33+
echo "IdentityAgent $SSH_AUTH_SOCK" >> "$SSH_CONFIG_FILE"
34+
else
35+
echo -e >&2 \
36+
"Your SSH key is not a valid OpenSSH private key\n"\
37+
"This is likely caused by one of these issues:\n"\
38+
"* The key has been configured incorrectly in your workflow file.\n"\
39+
"* The workflow was triggered by an actor that has no access to\n"\
40+
" the GitHub Action secret used for storing your SSH key.\n"\
41+
" For example, Pull Requests originating from a fork of your\n"\
42+
" repository can't access secrets."
43+
exit 1
44+
fi
45+
46+
# Append ssh config to system config
47+
sudo mkdir -p /etc/ssh
48+
sudo touch /etc/ssh/ssh_config
49+
sudo tee -a /etc/ssh/ssh_config < "$SSH_CONFIG_FILE" >/dev/null

0 commit comments

Comments
 (0)