Support for GitHub Deployment Keys #59
Conversation
mpdude
force-pushed
the
mapped-deploy-keys
branch
from
b0f75b2
to
cc3f2fc
Compare
mpdude
force-pushed
the
mapped-deploy-keys
branch
from
b076c88
to
9398f09
Compare
mpdude
force-pushed
the
mapped-deploy-keys
branch
from
53643c8
to
2aceb2b
Compare
|
I can't get this working for go or pip... it also requires me to update about 20 deploy keys in my various repos to have the required comment field 😩 I will try to dig in to this later this week. |
| @@ -175,6 +176,33 @@ try { | |||
| console.log("Keys added:"); | |||
| child_process.execSync('ssh-add -l', { stdio: 'inherit' }); | |||
|
|
|||
| child_process.execFileSync('ssh-add', ['-L']).toString().split(/\r?\n/).forEach(function(key) { | |||
| let parts = key.match(/\bgithub.com[:/](.*)(?:\.git)?\b/); | |||
There was a problem hiding this comment.
Yes, a deliberate and defensive measure to keep this feature scoped to GitHub, for now. Also, I was unsure what URLs for other services might look like and whether we'd need to adapt the parsing regex for them.
I don't know how widespread the restriction is to have deploy keys limited to one repo. A quick Google search turns up that at least BitBucket seems not to have this restriction.
There was a problem hiding this comment.
This is why I just had a separate list of URLs rather than trying to parse them out of certificate comments that are out of my control.
|
|
||
| let ownerAndRepo = parts[1]; | ||
| let sha256 = crypto.createHash('sha256').update(key).digest('hex'); | ||
|
|
There was a problem hiding this comment.
Nit: This obfuscates things when debugging/troubleshooting, which is why I had gone with the pseudo-host format.
This builds on the suggestions of @shaunco in #38 to support GitHub Deployment Keys that are scoped to single repositories.
When connecting to GitHub, the SSH client must fetch the right SSH key from the agent. Otherwise, the connection will be terminated with the error message
The idea is that each deployment key (which is passed as a secret) uses a key comment field like
Deploy key for [email protected]:owner/repo.After keys are loaded into the agent, the key comments are scanned. If they match
/\bgithub.com[:/](.*)(?:\.git)?\b/, two things happen:url.<base>.insteadof.This config will make
gitrequests to URLs starting with eitherhttps://github.com/owner/repoor[email protected]/owner/repobe redirected to a made-up URL like[email protected]...:owner/repo....some.hash...and will redirect it back togithub.com, applying the right SSH key.To choose the right SSH key, we're using the fact that the key identity (as returned from
ssh-add -L) can be used as well. This way, we can still avoid having to write private keys to disk at all.