From da14b2e266d252c8455fa9eaedf1476234c0b146 Mon Sep 17 00:00:00 2001 From: Roman Naumenko Date: Wed, 28 Apr 2021 09:10:54 +1000 Subject: [PATCH 1/2] Added keys setup for private packages --- Dockerfile | 2 +- README.md | 26 ++++++++++++++++++++++++++ action.yml | 10 ++++++++++ entrypoint.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0f10ce3..0471999 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ LABEL "maintainer"="Matt Brown " # Install Tini - https://github.com/krallin/tini -RUN apk add --no-cache tini git +RUN apk add --no-cache tini git openssh-client COPY --from=composer:2 /usr/bin/composer /usr/bin/composer diff --git a/README.md b/README.md index 4e03d7c..a29ea8c 100644 --- a/README.md +++ b/README.md @@ -72,3 +72,29 @@ These are both set to false by default. + composer_require_dev: true + composer_ignore_platform_reqs: true ``` + + +Auth for private composer repositories +------------------------------- +If you have private composer dependencies, SSH authentication must be used. Generate an SSH key pair for this purpose and add it to your private repository's configuration, preferable with only read-only privileges. On Github for instance, this can be done by using [deploy keys][deploy-keys]. + +Add the key pair to your project using [Github Secrets][secrets], and pass them into this action by using the `ssh_key` and `ssh_key_pub` inputs. If your private repository is stored on another server than github.com, you also need to pass the domain via `ssh_domain`. + +Example: + +```yaml +jobs: + build: + + ... + + - name: Psalm + uses: docker://vimeo/psalm-github-actions + with: + ssh_key: ${{ secrets.SOME_PRIVATE_KEY }} + ssh_key_pub: ${{ secrets.SOME_PUBLIC_KEY }} + # Optional: + ssh_domain: my-own-github.com +``` + +github.com, gitlab.com and bitbucket.org are automatically added to the list of SSH known hosts. You can provide your own domain via `ssh_domain` input. \ No newline at end of file diff --git a/action.yml b/action.yml index b15939f..32e5a2f 100644 --- a/action.yml +++ b/action.yml @@ -28,6 +28,16 @@ inputs: required: false default: false description: 'Whether or not the --ignore-platform-reqs flag is passed to Composer' + ssh_key: + description: The private key contents to use for private repositories + required: false + ssh_key_pub: + description: The public key contents to use for private repositories + required: false + ssh_domain: + description: The domain to gather SSH public keys for (automatic for github.com, gitlab.com, bitbucket.org) + required: false + runs: using: 'docker' diff --git a/entrypoint.sh b/entrypoint.sh index 577be07..290c353 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -11,6 +11,41 @@ if [ ! -z "$INPUT_REPORT_FILE" ]; then REPORT="--report=$INPUT_REPORT_FILE" fi +if [ -n "$INPUT_SSH_KEY" ] +then + echo "::group::Keys setup for private repositories" + + echo "Keyscan:" + mkdir -p /tmp/.ssh + ssh-keyscan -t rsa github.com >> /tmp/.ssh/known_hosts + ssh-keyscan -t rsa gitlab.com >> /tmp/.ssh/known_hosts + ssh-keyscan -t rsa bitbucket.org >> /tmp/.ssh/known_hosts + + if [ -n "$INPUT_SSH_DOMAIN" ] + then + ssh-keyscan -t rsa "$INPUT_SSH_DOMAIN" >> /tmp/.ssh/known_hosts + fi + echo "Installing keys for root:" + + echo "$INPUT_SSH_KEY" > /tmp/.ssh/action_rsa + echo "$INPUT_SSH_KEY_PUB" > /tmp/.ssh/action_rsa.pub + chmod 600 /tmp/.ssh/action_rsa + + echo "Private key hash:" + md5sum /tmp/.ssh/action_rsa + echo "Public key hash:" + md5sum /tmp/.ssh/action_rsa.pub + + echo "sshCommand = \"ssh -i /tmp/.ssh/action_rsa -o UserKnownHostsFile=/tmp/.ssh/known_hosts -vvvv\"" >> ~/.gitconfig + echo "[core]" >> ~/.gitconfig + git config --list + echo "OK" + + echo "::endgroup::" +else + echo "No private keys supplied" +fi + if test -f "composer.json"; then IGNORE_PLATFORM_REQS="" if [ "$CHECK_PLATFORM_REQUIREMENTS" = "false" ] || [ "$INPUT_COMPOSER_IGNORE_PLATFORM_REQS" = "false" ]; then From 14e5d7cd09e1c49b5da812db2e02f62acadbf4a5 Mon Sep 17 00:00:00 2001 From: Roman Naumenko Date: Wed, 28 Apr 2021 09:18:52 +1000 Subject: [PATCH 2/2] Cleanup --- entrypoint.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 290c353..4e8e1dc 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -25,7 +25,7 @@ then then ssh-keyscan -t rsa "$INPUT_SSH_DOMAIN" >> /tmp/.ssh/known_hosts fi - echo "Installing keys for root:" + echo "Installing keys:" echo "$INPUT_SSH_KEY" > /tmp/.ssh/action_rsa echo "$INPUT_SSH_KEY_PUB" > /tmp/.ssh/action_rsa.pub @@ -36,11 +36,10 @@ then echo "Public key hash:" md5sum /tmp/.ssh/action_rsa.pub - echo "sshCommand = \"ssh -i /tmp/.ssh/action_rsa -o UserKnownHostsFile=/tmp/.ssh/known_hosts -vvvv\"" >> ~/.gitconfig echo "[core]" >> ~/.gitconfig - git config --list - echo "OK" + echo "sshCommand = \"ssh -i /tmp/.ssh/action_rsa -o UserKnownHostsFile=/tmp/.ssh/known_hosts\"" >> ~/.gitconfig + echo "OK" echo "::endgroup::" else echo "No private keys supplied"