add support for SSH

vouch-opensource · Jan 30, 2020 · a093556 · a093556
1 parent 70f91fd
commit a093556
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,7 @@
 FROM vouchio/clj-jdk8-alpine:1.10.1
 
+RUN apk add --update --no-cache openssh
+
 COPY entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -19,12 +19,43 @@ Note: Since the action is not interactive, it invokes the CLI via `clojure` rath
 
 **Optional:** Any java opts (eg `-Xmx512m`)
 
+**Default:** none are set
+
+### `ssh-key`
+
+**Optional:** A GitHub secret that has the The SSH key needed to access code from other private repositories (eg `${{ secrets.SSH_PRIVATE_KEY }}`)
+
+**Default:** no SSH agent is started or key used
+
+### Why an SSH key?
+When running this action to you might need to fetch dependencies from your other private repositories.
+
+GitHub Actions only have access to the repository they run for. To access additional private repositories you need to provide an SSH key with sufficient access privileges.
+
+_Please note that there are some other actions on the GitHub marketplace that enable setting up an SSH agent. Our experience is that the mechanisms to support SSH agent interplay between actions is complex and complexity brings risks. We think that it is more straightforward and secure to have this action support the feature within its own scope. We will continue to review this choice as the Docker options improve and the GitHub environment matures._
+
+**For security purposes, we do not expose the SSH agent outside of this action.**
+
+### SSH Setup
+1. Create an SSH key with sufficient access privileges. For security reasons, don't use your personal SSH key but set up a dedicated one for use in GitHub Actions. See the [Github documentation](https://developer.github.com/v3/guides/managing-deploy-keys/) for more support.
+1. Make sure you **don't have a passphrase** set on the private key.
+1. In your repository, go to the _Settings > Secrets_ menu and create a new secret. In this example, we'll call it `SSH_PRIVATE_KEY`. Put the contents of the private SSH key file into the contents field.
+1. This key must start with `-----BEGIN ... PRIVATE KEY-----`, consist of many lines and ends with `-----END ... PRIVATE KEY-----`.
+
 ## Example usage - default, to run `:test` alias
 
 ```yaml 
 uses: actions/tools.deps-builder@v1
 ```
 
+## Example usage - pass an SSH key to run the tests
+
+```yaml 
+uses: actions/tools.deps-builder@v1
+with:
+  ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
+```
+
 ## Example usage - invoke `:xyz` alias
 
 ```yaml 

diff --git a/action.yml b/action.yml
@@ -12,10 +12,14 @@ inputs:
   java-opts:
     description: 'Any java opts (eg -Xmx512m)'
     required: false
+  ssh-key:
+    description: 'A GitHub secret that has the SSH key to access other private repositories (eg `${{ secrets.SSH_PRIVATE_KEY }}`)'
+    required: false
 runs:
   using: 'docker'
   image: 'Dockerfile'
   args:
     - ${{ inputs.alias }}
     - ${{ inputs.java-opts }}
+    - ${{ inputs.ssh-key }}
 
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -4,9 +4,12 @@ set -e
 
 # Use :test as the default alias
 aliases=${1:-":test"}
-javaOpts=$2
 
 a_Opts="-A$aliases"
+
+# Java opts
+javaOpts=$2
+
 j_Opts=""
 
 if [[ -n $javaOpts ]]
@@ -16,6 +19,24 @@ then
   j_Opts=$(for j in "${optsArray[@]}" ; do echo "-J$j" ; done)
 fi
 
+# SSH key
+sshKey=$3
+
+if [[ -n $sshKey ]]
+then
+
+  eval "$(ssh-agent -s)"
+
+  ssh-keyscan github.com >> ~/.ssh/known_hosts
+
+  SSH_KEY=~/.ssh/github_rsa
+
+  echo $sshKey > $SSH_KEY
+  chmod 600 $SSH_KEY
+  ssh-add $SSH_KEY
+
+fi
+
 # Log the actions
 set -x