Skip to content

Using an SSH Keypair to grant access to private dependencies

Brandon Sturgeon edited this page Jun 9, 2022 · 3 revisions

(Interested in a simpler solution? Check out how to use Personal Access Tokens instead)

Using GitHub Actions

To grab private dependencies in our GitHub Action, we'll need to do a few things:

  • Generate a new SSH keypair
  • Add the Public key to the dependency's Deploy Keys
  • Add the Private key to your project's Secrets
  • Update your workflow file

We'll take it step-by-step.

(Heads Up: As the name implies, the "Private Key" is Private! Don't share it with anyone)


Generating a new SSH Keypair

We need to securely grant our project (read-only) access to our dependency. To do this, we generate an SSH keypair.

(If you're already familiar with this process, you can go ahead and skip to Adding Your Keypairs.)

Windows

PUTTYgen instructions

On Windows, you'll use PUTTYgen. Hit the Windows key and type puttygen.

If you see the application, go ahead and open it. If you don't see it, you'll need to download it: https://www.putty.org/

First, change the "Number of bits in a generated key:" to 4096 (optional). Then we'll just click "Generate" image

You'll be asked to jiggle your mouse around to generate some randomness. Just do a little dance with your mouse until it's done (or continue if you want to!).

Now your public/private keys are generated. You want to save both the "Public" and "Private" keys. Click each of the buttons, saving them somewhere that you can find them (make sure you can tell the difference between the two! You could name one "sshkey-public" and the other "sshkey-private").

Make sure you don't set a password on this key!

image

Great! You're all set. Now you can continue to the Adding Your Keypairs. section.

OSX/Linux

ssh-keygen instructions

Generating the keypairs is a lot easier on a ✨ uNiX syStEm ✨

Assuming you have the ssh-keygen tool (you'll quickly find out if you don't! - just download it if you need it), run the following command.

Just hit [Enter] through all of the prompts. You don't want a password on this keypair.

ssh-keygen -o -a 100 -t ed25519 -f ~/gluatest_example

In your home directory, you'll end up with something that looks like this:

image

The .pub is, of course, the Public key. The other one is the Private key.

There you go! You can continue to the Adding Your Keypairs. section.


Adding your keypairs

(This section assumes both repositories are hosted on GitHub. You'll need to translate for other git hosts.)

Okay, so let's get a few things straight.

There are two code repositories involved here:

  • Your Project (the project that you're adding GLuaTest to, which requires The Dependency to run)
  • The Dependency (the project that your project requires)

We need to add the Private Key to Your Project. Open Your Project's settings, go to "Secrets", then "Actions":

image


Now we'll create a new Repository Secret: image


The Name of the secret will be SSH_PRIVATE_KEY (or whatever you'd like, just remember to use that same name later in the instructions). Now paste your Private Key into the Value input: image

Save that Secret.


Now we need to add the Public Key to The Dependency. Open The Dependency's settings, go to "Deploy Keys": image


  • Call it something that explains that it's used for GLuaTest, then paste your Public Key into the Key input. (Do not select "Allow write access") image

Okay! You're finally done with SSH Keys!


Updating the workflow file

Your Project's existing Workflow might look something like this:

name: GLuaTest Runner

on:
  pull_request:

jobs:
  run-tests:
    uses: CFC-Servers/GLuaTest/.github/workflows/run_tests.yml@main
    with:
        gamemode: "darkrp"

We just need to add a reference to the SSH key in there:

name: GLuaTest Runner

on:
  pull_request:

jobs:
  run-tests:
    uses: CFC-Servers/GLuaTest/.github/workflows/run_tests.yml@main
    with:
        gamemode: "darkrp"
+       ssh-private-key: "${{ secrets.SSH_PRIVATE_KEY }}"

DONE - your GLuaTest workflow should have read-only access to your dependency.

You can (and should!) delete the generated keypair files (the public and private key) from your machine.