sshgithub-actionssecrets

Github Actions secret name as a parameter

I want to create a workflow that can be manually triggered. It has multiple ssh private keys stored as secrets, and the user could choose any of them by passing their name into one of the workflow's input parameters, like so:

on:
  workflow_dispatch:
    inputs:
      ssh_private_key_secret:
        required: true
        type: string
        default: MAIN_PRIVATE_KEY

And then the workflow should set up SSH with the private key stored in the secret that's name was passed:

  - name: Set up SSH for public repo
    uses: webfactory/ssh-agent@v0.8.0
    with:
      ssh-private-key: ${{ secrets[github.event.inputs.ssh_private_key_secret] }}

However, with this syntax I get the following error:

Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-Irn9AGWdotOb/agent.1923
SSH_AGENT_PID=1924
Adding private key(s) to agent
Error: Command failed: ssh-add -
Error loading key "(stdin)": error in libcrypto

What am I doing wrong?

Solution

  • The issue you're encountering is that GitHub Actions doesn't allow dynamic secret access using the syntax ${{ secrets[github.event.inputs.ssh_private_key_secret] }}. GitHub deliberately restricts this for security reasons - secrets must be referenced directly, not through variable interpolation.

    Instead of trying to dynamically reference secrets, use conditional steps based on the input:

    name: SSH Workflow
on:
  workflow_dispatch:
    inputs:
      ssh_private_key_choice:
        required: true
        type: choice
        options:
          - main
          - secondary
          - development
        default: main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up SSH with Main Key
        if: github.event.inputs.ssh_private_key_choice == 'main'
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.MAIN_PRIVATE_KEY }}

      - name: Set up SSH with Secondary Key
        if: github.event.inputs.ssh_private_key_choice == 'secondary'
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SECONDARY_PRIVATE_KEY }}

      - name: Set up SSH with Development Key
        if: github.event.inputs.ssh_private_key_choice == 'development'
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.DEVELOPMENT_PRIVATE_KEY }}

      # Continue with your workflow steps...