From 5ab7b455ea00992bba6250923c83372caa026091 Mon Sep 17 00:00:00 2001 From: Kevin Stillhammer Date: Fri, 21 Nov 2025 18:14:09 +0100 Subject: [PATCH] Add input fetch-github-host-keys --- .github/actionlint.yaml | 13 +++++++++++++ .github/workflows/ci.yml | 18 ++++++++++++++++-- README.md | 1 + action.yml | 4 ++++ dist/index.js | 23 +++++++++++++++++++++++ index.js | 23 +++++++++++++++++++++++ 6 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 .github/actionlint.yaml diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000..22e2bba --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,13 @@ +self-hosted-runner: + # Custom labels of self-hosted or large GitHub hosted runners + # so that actionlint knows that they are not a typo + labels: + - 4-core-16-ram-150-hdd + - 8-core-32-ram-300-hdd + - arm-ubuntu-medium + - arm-ubuntu-large + - arm-ubuntu-xlarge +# Configuration variables in array of strings defined in your repository or +# organization. `null` means disabling configuration variables check. +# Empty array means no configuration variable is allowed. +config-variables: null diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0da46e7..49a79e2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Actionlint - uses: eifinger/actionlint-action@23c85443d840cd73bbecb9cddfc933cc21649a38 # v1.9.1 + uses: eifinger/actionlint-action@213860089b7cf97d640aa67567898fabeb132746 # v1.9.3 - uses: actions/setup-node@v4 with: node-version: "20" @@ -24,4 +24,18 @@ jobs: - run: npm run all - name: Make sure no changes from linters are detected run: | - git diff --exit-code || (echo "::error::Please run 'npm run all' to fix the issues" && exit 1) \ No newline at end of file + git diff --exit-code || (echo "::error::Please run 'npm run all' to fix the issues" && exit 1) + test: + strategy: + matrix: + runner: [ubuntu-slim, ubuntu-latest] + runs-on: ${{ matrix.runner }} + steps: + - uses: actions/checkout@v5 + with: + persist-credentials: false + - uses: ./ + with: + ssh-private-key: ${{ secrets.CI_DEPLOY_KEY_PRIVATE_KEY }} + fetch-github-host-keys: ${{ matrix.runner == 'ubuntu-slim' }} + - run: git clone git@github.com:tadodotcom/ssh-agent.git /tmp/ssh-agent-clone \ No newline at end of file diff --git a/README.md b/README.md index 3028201..6e3e8ea 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ The following inputs can be used to control the action's behavior: * `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary. * `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary. * `git-cmd`: Optional. Use this to specify a custom location for the `git` binary. +* `fetch-github-host-keys`: Optional. When set to `true`, the action will fetch and add GitHub's SSH host keys to the `known_hosts` file. ## Exported variables diff --git a/action.yml b/action.yml index 8f32cc8..7d71a07 100644 --- a/action.yml +++ b/action.yml @@ -19,6 +19,10 @@ inputs: git-cmd: description: 'git command' required: false + fetch-github-host-keys: + description: 'Whether to fetch and add GitHub host keys to known_hosts' + required: false + default: false runs: using: 'node20' main: 'dist/index.js' diff --git a/dist/index.js b/dist/index.js index 6804cab..5f871f9 100644 --- a/dist/index.js +++ b/dist/index.js @@ -3679,6 +3679,9 @@ try { const logPublicKey = core.getBooleanInput("log-public-key", { default: true, }); + const fetchGithubHostKeys = core.getBooleanInput("fetch-github-host-keys", { + default: false, + }); if (!privateKey) { core.setFailed( @@ -3691,6 +3694,26 @@ try { const homeSsh = `${homePath}/.ssh`; fs.mkdirSync(homeSsh, { recursive: true }); + if (fetchGithubHostKeys) { + console.log("Fetching GitHub host keys"); + try { + const metaJson = child_process.execSync( + "curl --silent https://api.github.com/meta", + { encoding: "utf8" }, + ); + + const meta = JSON.parse(metaJson); + const knownHostsFile = `${homeSsh}/known_hosts`; + const hostKeyLines = `${meta.ssh_keys.map((key) => `github.com ${key}`).join("\n")}\n`; + fs.appendFileSync(knownHostsFile, hostKeyLines); + console.log( + `Added ${meta.ssh_keys.length} GitHub host key(s) to known_hosts`, + ); + } catch (error) { + console.warn(`Failed to fetch GitHub host keys: ${error.message}`); + } + } + console.log("Starting ssh-agent"); const authSock = core.getInput("ssh-auth-sock"); diff --git a/index.js b/index.js index 0f3155f..e754a3f 100644 --- a/index.js +++ b/index.js @@ -11,6 +11,9 @@ try { const logPublicKey = core.getBooleanInput("log-public-key", { default: true, }); + const fetchGithubHostKeys = core.getBooleanInput("fetch-github-host-keys", { + default: false, + }); if (!privateKey) { core.setFailed( @@ -23,6 +26,26 @@ try { const homeSsh = `${homePath}/.ssh`; fs.mkdirSync(homeSsh, { recursive: true }); + if (fetchGithubHostKeys) { + console.log("Fetching GitHub host keys"); + try { + const metaJson = child_process.execSync( + "curl --silent https://api.github.com/meta", + { encoding: "utf8" }, + ); + + const meta = JSON.parse(metaJson); + const knownHostsFile = `${homeSsh}/known_hosts`; + const hostKeyLines = `${meta.ssh_keys.map((key) => `github.com ${key}`).join("\n")}\n`; + fs.appendFileSync(knownHostsFile, hostKeyLines); + console.log( + `Added ${meta.ssh_keys.length} GitHub host key(s) to known_hosts`, + ); + } catch (error) { + console.warn(`Failed to fetch GitHub host keys: ${error.message}`); + } + } + console.log("Starting ssh-agent"); const authSock = core.getInput("ssh-auth-sock");