Add ssh_key secret parameter to support sync setup_command. (#22)

vorporeal · oz-agent · web-flow · commit f894fa372d7e · 2026-04-14T10:39:42.000-04:00
## Description The `setup_command` workflow parameter (added in #16) allows consuming repos to run commands like `cargo fetch` before sync begins. However, if the source repo has private dependencies that require SSH credentials (e.g. private crates), there's no way to provide them — the reusable workflow runs in a separate job, so the embedding workflow can't set up the SSH agent beforehand. This adds an optional `ssh_key` secret to the sync workflow. When provided, it populates the SSH agent (via `webfactory/ssh-agent`) before the setup command runs, allowing commands like `cargo fetch` to access private repositories. ## Testing Verified the workflow YAML is syntactically valid. The new step is conditional on `secrets.ssh_key != ''`, so existing consumers that don't pass the secret are unaffected. Co-Authored-By: Oz <oz-agent@warp.dev>
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
@@ -56,6 +56,9 @@ on:
       warp_api_key:
         description: "Warp API key."
         required: true
+      ssh_key:
+        description: "Optional SSH private key for accessing private dependencies (e.g. private crates) during the setup command."
+        required: false
 
 concurrency:
   group: repo-sync-${{ github.repository == inputs.private_repo && 'private-to-public' || 'public-to-private' }}-${{ github.repository }}-${{ github.repository == inputs.private_repo && inputs.public_repo || inputs.private_repo }}
@@ -117,6 +120,12 @@ jobs:
       - name: Build conflict resolution agent image
         run: docker build -f .repo-sync/docker/conflict-resolution/Dockerfile -t repo-sync-conflict-resolution .repo-sync
 
+      - name: Setup SSH keys
+        if: secrets.ssh_key != ''
+        uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_key }}
+
       - name: Run setup command
         if: inputs.setup_command != ''
         run: ${{ inputs.setup_command }}
diff --git a/examples/consuming-repo-sync.yml b/examples/consuming-repo-sync.yml
@@ -60,6 +60,8 @@ jobs:
       # public_to_private_fixup_script: scripts/post-cherry-pick-fixup.sh
     secrets:
       app_private_key: ${{ secrets.REPO_SYNC_APP_PRIVATE_KEY }}
+      # Optional SSH key for fetching private dependencies during setup.
+      # ssh_key: ${{ secrets.REPO_SYNC_SSH_KEY }}
 
   # -----------------------------------------------------------------------
   # Restack: triggered when a sync PR is merged.
