Merge pull request #30 from bravik/keys-for-private-packages

Added abilty to provide SSH keys for loading private packages
psalm · Apr 28, 2021 · a5269d2 · a5269d2
2 parents d5548fa + 14e5d7c
commit a5269d2
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@ LABEL "maintainer"="Matt Brown <[email protected]>"
 
 # Install Tini - https://github.com/krallin/tini
 
-RUN apk add --no-cache tini git
+RUN apk add --no-cache tini git openssh-client
 
 COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
 

diff --git a/README.md b/README.md
@@ -72,3 +72,29 @@ These are both set to false by default.
 +          composer_require_dev: true
 +          composer_ignore_platform_reqs: true
 ```
+
+
+Auth for private composer repositories
+-------------------------------
+If you have private composer dependencies, SSH authentication must be used. Generate an SSH key pair for this purpose and add it to your private repository's configuration, preferable with only read-only privileges. On Github for instance, this can be done by using [deploy keys][deploy-keys].
+
+Add the key pair to your project using  [Github Secrets][secrets], and pass them into this action by using the `ssh_key` and `ssh_key_pub` inputs. If your private repository is stored on another server than github.com, you also need to pass the domain via `ssh_domain`.
+
+Example:
+
+```yaml
+jobs:
+  build:
+
+    ...
+
+    - name: Psalm
+      uses: docker://vimeo/psalm-github-actions
+      with:
+        ssh_key: ${{ secrets.SOME_PRIVATE_KEY }}
+        ssh_key_pub: ${{ secrets.SOME_PUBLIC_KEY }}
+        # Optional:
+        ssh_domain: my-own-github.com 
+```
+
+github.com, gitlab.com and bitbucket.org are automatically added to the list of SSH known hosts. You can provide your own domain via `ssh_domain` input.
diff --git a/action.yml b/action.yml
@@ -28,6 +28,16 @@ inputs:
     required: false
     default: false
     description: 'Whether or not the --ignore-platform-reqs flag is passed to Composer'
+  ssh_key:
+    description: The private key contents to use for private repositories
+    required: false
+  ssh_key_pub:
+    description: The public key contents to use for private repositories
+    required: false
+  ssh_domain:
+    description: The domain to gather SSH public keys for (automatic for github.com, gitlab.com, bitbucket.org)
+    required: false
+
 
 runs:
   using: 'docker'

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -11,6 +11,40 @@ if [ ! -z "$INPUT_REPORT_FILE" ]; then
     REPORT="--report=$INPUT_REPORT_FILE"
 fi
 
+if [ -n "$INPUT_SSH_KEY" ]
+then
+    echo "::group::Keys setup for private repositories"
+
+    echo "Keyscan:"
+    mkdir -p /tmp/.ssh
+    ssh-keyscan -t rsa github.com >> /tmp/.ssh/known_hosts
+    ssh-keyscan -t rsa gitlab.com >> /tmp/.ssh/known_hosts
+    ssh-keyscan -t rsa bitbucket.org >> /tmp/.ssh/known_hosts
+
+    if [ -n "$INPUT_SSH_DOMAIN" ]
+    then
+      ssh-keyscan -t rsa "$INPUT_SSH_DOMAIN" >> /tmp/.ssh/known_hosts
+    fi
+    echo "Installing keys:"
+
+    echo "$INPUT_SSH_KEY" > /tmp/.ssh/action_rsa
+    echo "$INPUT_SSH_KEY_PUB" > /tmp/.ssh/action_rsa.pub
+    chmod 600 /tmp/.ssh/action_rsa
+
+    echo "Private key hash:"
+    md5sum /tmp/.ssh/action_rsa
+    echo "Public key hash:"
+    md5sum /tmp/.ssh/action_rsa.pub
+
+    echo "[core]" >> ~/.gitconfig
+    echo "sshCommand = \"ssh -i /tmp/.ssh/action_rsa -o UserKnownHostsFile=/tmp/.ssh/known_hosts\"" >> ~/.gitconfig
+
+    echo "OK"
+    echo "::endgroup::"
+else
+	  echo "No private keys supplied"
+fi
+
 if test -f "composer.json"; then
     IGNORE_PLATFORM_REQS=""
     if [ "$CHECK_PLATFORM_REQUIREMENTS" = "false" ] || [ "$INPUT_COMPOSER_IGNORE_PLATFORM_REQS" = "false" ]; then