Pull deploy, github actions and ssh keys

Solution 1:

Keys are added to account, not to the repository.

That is why you have deploy keys, per repository.

https://docs.github.com/assets/cb-44521/images/add-deploy-key.png

A GitHub Action like webfactory/ssh-agent for instance does have support for Deploy keys.

To support picking the right key in this use case, this action scans key comments and will set up extra Git and SSH configuration to make things work.

  • When creating the deploy key for a repository like [email protected]:owner/repo.git or https://github.com/owner/repo, put that URL into the key comment. (Hint: Try ssh-keygen ... -C "[email protected]:owner/repo.git".)
  • After keys have been added to the agent, this action will scan the key comments.
  • For key comments containing such URLs, a Git config setting is written that uses url.<base>.insteadof. It will redirect git requests to URLs starting with either https://github.com/owner/repo or [email protected]:owner/repo to a fake hostname/URL like [email protected]...:owner/repo.
  • An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to github.com, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.

You get then a GitHub Action configuration like this example:

name: Deploy
on:
push:
 tags:
   - 'GA*'
# ...
- name: Install SSH Client 🔑
  uses: webfactory/[email protected]
  with:
    ssh-private-key: ${{ secrets.DEPLOY_KEY }}

- name: Deploy 🚀
  uses: JamesIves/[email protected]
  with:
    BASE_BRANCH: master
    BRANCH: gh-pages
    CLEAN: true
    FOLDER: .
    SSH: true
# ...

In command line, since GitHub CLI gh 2.5.0 (Feb. 2022): gh repo deploy_key

gh repo deploy-key add <key-file> [flags]

# generate a passwordless SSH key and add it as a deploy key to a repository
$ ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/gh-test
$ gh repo deploy-key add ~/.ssh/gh-test.pub

See issue 4242 from context.