Having some problems using git clone from within a Github Actions, i get the following no matter what i try:
The code that fails in my main.yml:
jobs:
terraform:
name: 'Terraform with Github Actions!'
runs-on: ubuntu-latest
steps:
- name: 'Login to Azure'
uses: azure/login#v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: 'Checkout'
uses: actions/checkout#master
- name: 'Preparing blueprint-environment'
run: |
snip
git clone git#github.com:ourcompany/whateverrepo.git
Error message:
git#github.com: Permission denied (publickey).
Ive seen many posts on adding ssh-keys, but thats locally, not in a ubuntu-release running from Github actions - what am i missing here? I cant generate ssh-keys and add the private key on the fly to the Github repo-settings, how can i fix this?
If you need to checkout two repositories I would recommend using checkout again to a relative path. See the documentation to checkout multiple repos side by side. You may need to use a repo scoped Personal Access Token (PAT)
- name: 'Checkout'
uses: actions/checkout#v2
- name: 'Preparing blueprint-environment'
uses: actions/checkout#v2
with:
token: ${{ secrets.PAT }}
repository: ourcompany/whateverrepo
path: whateverrepo
If it's really necessary, Deploy keys can be used to clone a repository via SSH.
Create a new SSH key pair for your repository. Do not set a passphrase.
Copy the contents of the public key (.pub file) to a new repository deploy key and check the box to "Allow write access."
Add a secret to the repository containing the entire contents of the private key.
As shown in the example below, configure actions/checkout to use the deploy key you have created.
steps:
- uses: actions/checkout#v2
with:
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
Related
I have a GitHub Action that uses azure/docker-login#v1 for building and pushing images to the Azure image registry, and it works.
Now, I want to pass GITHUB_TOKEN using Docker's secret flag, but it only accepts a file, and I don't know how to create a file using this action.
Is it possible?
For example, with docker/build-push-action I can do this bellow
- name: Build docker image
uses: docker/build-push-action#v2
with:
context: .
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
How can I secure my image using azure/docker-login?
As the readme.md of the azure/docker-login action suggests:
Use this GitHub Action to log in to a private container registry such as Azure Container registry. Once login is done, the next set of actions in the workflow can perform tasks such as building, tagging and pushing containers.
You can setup your workflow so that it logs in using azure/docker-login and builds and pushes the image using docker/build-push-action, like this:
- uses: azure/docker-login#v1
with:
login-server: contoso.azurecr.io
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
- uses: docker/build-push-action#v2
with:
push: true
context: .
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
I want to auto deploy my private repository on my VPS whenever I push changes to my main branch. My yaml file looks like this:
name: push-and-deploy-to-server
on:
push:
branches: [ main ]
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout#v2
- name: ssh and deploy
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: 22
script: |
git pull origin main
git status
npm install --only=prod
pm2 restart index.js
this is not working, I get the following error:
err: fatal: could not read Username for 'https://github.com': No such device or address
When ssh-ing into my server and cloning the repo myself, it asks for my username and password (access token). When I provide it, it works, but with the yaml file, it doesnt.
How can I clone and deploy a private repo? It's a nodejs project btw.
Considering your setup
private GitHub repository with given action on that repo.
VPS
What does your current configuration and github secrets setup do?
you push code to your private repo
action runs and using appleboy/ssh-action#master ssh's into your VPS
then executes your commands like git pull origin main in your VPS.
Issue what you have is that your VPS is not authenticated to access your repository.
You have multiple options.
ssh to your VPS as user ${{ secrets.SSH_USERNAME }} and authenticate that user against github using your Github Personal access token which you can generate under your https://github.com/settings/tokens giving it a read repo permissions. Then test that you can clone your repo into VPS if so then your next build will succeed.
Second option generate new ssh key inside VPS for ${{ secrets.SSH_USERNAME }} and add it under your repository settings Deploy keys. When using deploy key, you need to make sure that your repository remote in vps is using git#github.com:<username>/<repository>.git git url not https url.
Third option: use appleboy/scp-action step before appleboy/ssh-action and copy all contents from current directory to your VPS and then run your npm install etc. with appleboy/ssh-action.
You proceed may work if you have git installed on your server. But the scp project can also deploy the code directly to your server.
name: push-and-deploy-to-server
on:
push:
branches: [ main ]
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout#v2
- name: ssh and deploy
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
source: "."
target: "the/server/path"
I used an IP address instead of a domain name, cos I felt like my hosting service was screwing with me.
Check out this URL for more details
I'm trying to send a kubescape report via github action and unfortunetely, I have an error shown as below:
Scan results have not been submitted: Sign up for free:
https://portal.armo.cloud/account/sign-up
Of course I've created an account, and I try to submit the report like this:
kubescape:
runs-on: ubuntu-20.04
strategy:
matrix: { dir_kube: ['ionos/kubernetes/dev/*.yaml', 'azure/kubernetes/prod/*.yaml', 'ionos/kubernetes/prod/*.yaml']}
steps:
- name: Clone repo
uses: actions/checkout#master
- name: Install kubescape
run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
# Scanning cluster, specified by filter path
- name: Scan repository
run: kubescape scan --submit --account=${{ secrets.KUBESCAPE_REPORT }} ${{ matrix.dir_kube }}
The secret is corresponding to my key account.
What I've tried:
Replace the secret (In case I would have mistyped it)
add --verbose
add --logger debug
scan and send the report from my machine directly
(I manage to send the report correctly, but as you wonder, I don't want to do from my machine as it is a cron job.)
Is it even possible to do it from GA? Am I missing something?
Kubescape just released support for submitting file scans to the portal. Check it now with the latest version!
Set a github secret called KUBESCAPE_ACCOUNT.
Then, add the following code to your workflow (copied from here):
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- uses: kubescape/github-action#main
continue-on-error: true
with:
format: sarif
outputFile: results.sarif
# Specify the Kubescape cloud account ID
account: ${{secrets.KUBESCAPE_ACCOUNT}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif#v2
with:
sarif_file: results.sarif
I've built an Azure Static Web App with one API function which has one dependency. This dependency sits in a private repository on GitHub. On my local dev machine I'm able to build the Functions app by downloading the dependency using SSH authentication. When trying to deploy to Azure using GitHub Actions I get the error Host key verification failed.
My GitHub Actions workflow is similar to the default workflow generated by Azure Static Web App, with the addition of using webfactory/ssh-agent for facilitating the SSH authentication on GitHub to retrieve the private repository Y and a run step with git clone for testing purposes:
# ... Same as on https://learn.microsoft.com/en-us/azure/static-web-apps/github-actions-workflow
jobs:
build_and_deploy_job:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- uses: actions/checkout#v2
with:
submodules: true
persist-credentials: false
- uses: webfactory/ssh-agent#v0.5.1
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE }}
- run: |
git clone ssh://git#github.com/X/Y.git Z
ls -la Z
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy#v0.0.1-preview
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_TOKEN }}
repo_token: ${{ secrets.GITHUB_TOKEN }}
action: "upload"
app_location: "/"
api_location: "api"
output_location: "build"
# ... Same as on https://learn.microsoft.com/en-us/azure/static-web-apps/github-actions-workflow
In my private repository Y I've added the public key associated to private key secrets.SSH_PRIVATE as a deploy key.
After running the workflow it shows the git clone command is ran correctly as the ls -la command results in displaying the directories and files in my private repository. However, the build process of my API (yarn install --prefer-offline --production) results in the error Host key verification failed when yarn is fetching the packages. As a result, GitHub Actions cannot download the dependency in my private repository, and cannot build the API. This ends with a failed workflow.
After analyzing Azure/static-web-apps-deploy#v0.0.1-preview I noticed it uses Oryx to start a Docker container for the build process of the Azure Static Web App. This container is unaware of the ssh-agent that was initialized using webfactory/ssh-agent on the host VM. As a result the yarn install triggered in Azure/static-web-apps-deploy#v0.0.1-preview couldn't download the dependency that was in my private repository and failed the installation.
To circumvent this I've refactored my private dependency to use it as a git submodule instead, because submodules can be loaded prior to the build process using actions/checkout. This was achieved by adding only two extra lines to the workflow file that is generated by Azure Static Web Apps. I've highlighted these two lines with a trailing # ADDED in the following snippet of my workflow file:
jobs:
build_and_deploy_job:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- uses: actions/checkout#v2
with:
ssh-known-hosts: "github.com" # ADDED
ssh-key: ${{ secrets.SSH_PRIVATE }} # ADDED
submodules: true
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy#v0.0.1-preview
...
So I have a project that needs a "fake" API to do some functional testing on user scenarios; so my idea was creating a simple little node.js project and getting to return some dummy json data depending on a few endpoints to test several use cases of my application.
I have a separate repository containing this fake API and I'm wondering how I should go about adding it into my github actions workflow?
You can use actions/checkout#v2 to pull another repo into your worker.
See the example below:
name: PullExternalRepo
on: workflow_dispatch
jobs:
PullRepo:
runs-on: ubuntu-latest
- name: Install Node
uses: actions/setup-node#v2-beta
with:
node-version: '12'
- name: Install external repo
uses: actions/checkout#v2
with:
repository: your_org/repo_name
path: './place/to/clone/repo/into'
- name: Install deps and run
run: |
cd ./place/to/clone/repo/into
npm install
npm start
Added note about pulling specific branches:
If you are trying to pull a non-default branch, you need to add the ref property to the checkout action, as seen in the example below.
...
- name: Install external repo
uses: actions/checkout#v2
with:
repository: your_org/repo_name
path: './place/to/clone/repo/into'
ref: 'some-other-branch'
...