tadodotcom · eifinger · Nov 23, 2025 · Nov 21, 2025
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,13 @@
+self-hosted-runner:
+  # Custom labels of self-hosted or large GitHub hosted runners
+  # so that actionlint knows that they are not a typo
+  labels:
+    - 4-core-16-ram-150-hdd
+    - 8-core-32-ram-300-hdd
+    - arm-ubuntu-medium
+    - arm-ubuntu-large
+    - arm-ubuntu-xlarge
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,12 +16,26 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Actionlint
-        uses: eifinger/actionlint-action@23c85443d840cd73bbecb9cddfc933cc21649a38  # v1.9.1
+        uses: eifinger/actionlint-action@213860089b7cf97d640aa67567898fabeb132746  # v1.9.3
       - uses: actions/setup-node@v4
         with:
           node-version: "20"
       - run: npm install
       - run: npm run all
       - name: Make sure no changes from linters are detected
         run: |
-          git diff --exit-code || (echo "::error::Please run 'npm run all' to fix the issues" && exit 1)
+          git diff --exit-code || (echo "::error::Please run 'npm run all' to fix the issues" && exit 1)
+  test:
+    strategy:
+      matrix:
+        runner: [ubuntu-slim, ubuntu-latest]
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: ./
+        with:
+          ssh-private-key: ${{ secrets.CI_DEPLOY_KEY_PRIVATE_KEY }}
+          fetch-github-host-keys: ${{ matrix.runner == 'ubuntu-slim' }}
+      - run: git clone git@github.com:tadodotcom/ssh-agent.git /tmp/ssh-agent-clone
diff --git a/README.md b/README.md
@@ -84,6 +84,7 @@ The following inputs can be used to control the action's behavior:
 * `ssh-agent-cmd`: Optional. Use this to specify a custom location for the `ssh-agent` binary.
 * `ssh-add-cmd`: Optional. Use this to specify a custom location for the `ssh-add` binary.
 * `git-cmd`: Optional. Use this to specify a custom location for the `git` binary.
+* `fetch-github-host-keys`: Optional. When set to `true`, the action will fetch and add GitHub's SSH host keys to the `known_hosts` file.
 
 ## Exported variables
 

diff --git a/action.yml b/action.yml
@@ -19,6 +19,10 @@ inputs:
     git-cmd:
         description: 'git command'
         required: false
+    fetch-github-host-keys:
+        description: 'Whether to fetch and add GitHub host keys to known_hosts'
+        required: false
+        default: false
 runs:
     using: 'node20'
     main: 'dist/index.js'

diff --git a/dist/index.js b/dist/index.js
@@ -3679,6 +3679,9 @@ try {
   const logPublicKey = core.getBooleanInput("log-public-key", {
     default: true,
   });
+  const fetchGithubHostKeys = core.getBooleanInput("fetch-github-host-keys", {
+    default: false,
+  });
 
   if (!privateKey) {
     core.setFailed(
@@ -3691,6 +3694,26 @@ try {
   const homeSsh = `${homePath}/.ssh`;
   fs.mkdirSync(homeSsh, { recursive: true });
 
+  if (fetchGithubHostKeys) {
+    console.log("Fetching GitHub host keys");
+    try {
+      const metaJson = child_process.execSync(
+        "curl --silent https://api.github.com/meta",
+        { encoding: "utf8" },
+      );
+
+      const meta = JSON.parse(metaJson);
+      const knownHostsFile = `${homeSsh}/known_hosts`;
+      const hostKeyLines = `${meta.ssh_keys.map((key) => `github.com ${key}`).join("\n")}\n`;
+      fs.appendFileSync(knownHostsFile, hostKeyLines);
+      console.log(
+        `Added ${meta.ssh_keys.length} GitHub host key(s) to known_hosts`,
+      );
+    } catch (error) {
+      console.warn(`Failed to fetch GitHub host keys: ${error.message}`);
+    }
+  }
+
   console.log("Starting ssh-agent");
 
   const authSock = core.getInput("ssh-auth-sock");

diff --git a/index.js b/index.js
@@ -11,6 +11,9 @@ try {
   const logPublicKey = core.getBooleanInput("log-public-key", {
     default: true,
   });
+  const fetchGithubHostKeys = core.getBooleanInput("fetch-github-host-keys", {
+    default: false,
+  });
 
   if (!privateKey) {
     core.setFailed(
@@ -23,6 +26,26 @@ try {
   const homeSsh = `${homePath}/.ssh`;
   fs.mkdirSync(homeSsh, { recursive: true });
 
+  if (fetchGithubHostKeys) {
+    console.log("Fetching GitHub host keys");
+    try {
+      const metaJson = child_process.execSync(
+        "curl --silent https://api.github.com/meta",
+        { encoding: "utf8" },
+      );
+
+      const meta = JSON.parse(metaJson);
+      const knownHostsFile = `${homeSsh}/known_hosts`;
+      const hostKeyLines = `${meta.ssh_keys.map((key) => `github.com ${key}`).join("\n")}\n`;
+      fs.appendFileSync(knownHostsFile, hostKeyLines);
+      console.log(
+        `Added ${meta.ssh_keys.length} GitHub host key(s) to known_hosts`,
+      );
+    } catch (error) {
+      console.warn(`Failed to fetch GitHub host keys: ${error.message}`);
+    }
+  }
+
   console.log("Starting ssh-agent");
 
   const authSock = core.getInput("ssh-auth-sock");