I see 2 options here, using ssh-agent:
name: deploy
on: [push]
jobs:
deploy:
runs-on: ubuntu-20.04
env:
USER_HOST: ec2-user@ec2...
HOST_KEY: ec2... ecdsa-sha2-nistp256 AAAA...mXU=
steps:
- name: Check out the code
uses: actions/checkout@v2
- name: Run ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Add the host key to ~/.ssh/known_hosts
run: |
echo "$HOST_KEY" >> ~/.ssh/known_hosts
- name: Deploy
run: |
set -x
BRANCH=${GITHUB_REF#refs/heads/}
cat .github/deploy.sh | ssh -T "$USER_HOST" sh -s "$BRANCH"
And w/o ssh-agent:
name: deploy
on: [push]
jobs:
deploy:
runs-on: ubuntu-20.04
env:
USER_HOST: ec2-user@ec2...
HOST_KEY: ec2... ecdsa-sha2-nistp256 AAAA...mXU=
steps:
- name: Check out the code
uses: actions/checkout@v2
- name: Set up ssh
run: |
set -x
mkdir ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
chmod 0600 ~/.ssh/id_rsa
echo "$HOST_KEY" >> ~/.ssh/known_hosts
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Deploy
run: |
set -x
BRANCH=${GITHUB_REF#refs/heads/}
cat .github/deploy.sh | ssh -Ti ~/.ssh/id_rsa "$USER_HOST" sh -s "$BRANCH"
Are both of them safe? Or should one of them be preferred? webfactory/ssh-agent doesn't store the key on disk.
