gitubuntugithubgithub-actions

Git Permission denied (publickey) when accessing server through Github Actions CI/CD

When I connect to my server through my local computer I can successfully connect to Github using ssh.

I used this tutorial to setup the ssh keys.

However, when using Github actions I get this error:

err: git@github.com: Permission denied (publickey).
err: fatal: Could not read from remote repository.
err: 
err: Please make sure you have the correct access rights
err: and the repository exists.

This is my Github actions YML:

name: CI App to DO

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  deploy-do:
    runs-on: ubuntu-latest
    steps:
      - name: SSH to server and Deploy App
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_KEY }}
          port: ${{ secrets.SSH_PORT }}
          script: |
            cd ~/app
            git pull origin master
            npm run build
            pm2 restart next

When running ssh-add -l on the server through my local machine I get my key but when doing the same through the Github actions workflow I get:

The agent has no identities.

My server is hosted on a Digital Ocean Droplet using Ubuntu 20.04. As stated previously, this works great when connecting to my server through my local machine and doing the git pull there. I use MobaXterm for connecting to my droplet.

Edit: I am able to make this work when not using a passphrase.

In my local machine i'm using MobaXterm

Solution

  • Since the passphrase seems to be the issue, you might need to add your key to the ssh agent in your GitHub Action workflow.
    See as an example "Using a SSH deploy key in GitHub Actions to access private repositories" from Matthias Pigulla, which proposes:

    # .github/workflows/my-workflow.yml
# ... other config here
jobs:
    build:
        runs-on: ubuntu-18.04
        steps:
            -   uses: actions/checkout@v1

            -   name: Setup SSH Keys and known_hosts
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: |
                    mkdir -p ~/.ssh
                    ssh-keyscan github.com >> ~/.ssh/known_hosts
                    ssh-agent -a $SSH_AUTH_SOCK > /dev/null
                    ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"

            -   name: Some task that fetches dependencies
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: ./fetch-deps.sh

    But he has also defined since then actions/webfactory-ssh-agent

    This action

    • starts the ssh-agent,
    • exports the SSH_AUTH_SOCK environment variable,
    • loads a private SSH key into the agent and
    • configures known_hosts for GitHub.com.