-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
78 lines (74 loc) · 2.72 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: 'ssh-agent'
description: 'Load a key into in memory using a temp disk'
inputs:
private_key:
description: 'SSH private key (usualy from secrets)'
required: true
auth_sock_path:
description: 'Path to the authentication socket'
required: false
default: ${{ github.workspace }}/S.agent.ssh
auth_sock_name:
description: 'Name of the variable for authentication socket'
required: false
default: SSH_AUTH_SOCK
outputs:
public_key:
description: 'SSH public key if loaded'
value: ${{ steps.agent.outputs.public_key }}
runs:
using: "composite"
steps:
- name: Create tmpfs to write the key
id: tmpfs
uses: LeastAuthority/mount-tmpfs-action@v1
if: startsWith(inputs.private_key, '-----BEGIN OPENSSH PRIVATE KEY-----')
- name: Write the key to tmpfs
id: key_to_file
shell: bash
run: |
# Import secret key in memory
cat <<EOF > "${{ steps.tmpfs.outputs.mnt }}/ssh_key"
${{ inputs.private_key }}
EOF
chmod 0600 "${{ steps.tmpfs.outputs.mnt }}/ssh_key"
if: steps.tmpfs.outcome == 'success'
- name: Verify key file
id: verify
shell: bash
run: |
# Define path to key
if [ ${{ steps.tmpfs.outcome }} == 'success' ]; then
path_to_key="${{ steps.tmpfs.outputs.mnt }}/ssh_key"
else
path_to_key="${{ inputs.private_key }}"
fi
# Fail if key file in not on tmpfs!
df "${path_to_key}" | tail -1 | grep -q "^tmpfs" || {
echo ":x: File private_key is not on tmpfs: consider revoking!" >> $GITHUB_STEP_SUMMARY;
exit 1
}
# Store key path for next step
echo "PRIVATE_KEY=${path_to_key}" >> $GITHUB_ENV
- name: Start an agent with the key
id: agent
shell: bash
run: |
# Load key with agent
echo ":rocket: SSH agent operations started" >> $GITHUB_STEP_SUMMARY
eval "$(ssh-agent -a ${{ inputs.auth_sock_path }} -s)" \
&& echo ":heavy_check_mark: SSH agent creation succeeded" >> $GITHUB_STEP_SUMMARY \
|| { echo ":x: SSH agent creation failed" >> $GITHUB_STEP_SUMMARY; exit 1; }
# Load the key in the agent
ssh-add "${{ env.PRIVATE_KEY }}" \
&& echo ":heavy_check_mark: SSH key loading succeeded" >> $GITHUB_STEP_SUMMARY \
|| { echo ":x: SSH key loading failed" >> $GITHUB_STEP_SUMMARY; exit 1; }
echo "pulbic_key=$(ssh-add -L)" >> $GITHUB_OUTPUT
# Export agent socket for later usage
echo "${{ inputs.auth_sock_name }}=${SSH_AUTH_SOCK}" >> $GITHUB_ENV
- name: Cleanup
id: cleanup
shell: bash
run: |
sudo umount "${{ steps.tmpfs.outputs.mnt }}"
if: steps.tmpfs.outcome == 'success'