mirror of https://github.com/actions/checkout.git
				
				
				
			revise adr to support ssh
This commit is contained in:
		
							parent
							
								
									f858c22e96
								
							
						
					
					
						commit
						2db432026a
					
				|  | @ -27,13 +27,27 @@ We want to take this opportunity to make behavioral changes, from v1. This docum | ||||||
|       event.  Otherwise, defaults to `master`. |       event.  Otherwise, defaults to `master`. | ||||||
|   token: |   token: | ||||||
|     description: > |     description: > | ||||||
|       Auth token used to fetch the repository. The token is stored in the local |       Personal access token (PAT) used to fetch the repository. The PAT is configured | ||||||
|       git config, which enables your scripts to run authenticated git commands. |       with the local git config, which enables your scripts to run authenticated git | ||||||
|       The post-job step removes the token from the git config. [Learn more about |       commands. The post-job step removes the PAT. [Learn more about creating and using | ||||||
|       creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) |       encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) | ||||||
|     default: ${{ github.token }} |     default: ${{ github.token }} | ||||||
|  |   ssh-key: | ||||||
|  |     description: > | ||||||
|  |       SSH key used to fetch the repository. SSH key is configured with the local | ||||||
|  |       git config, which enables your scripts to run authenticated git commands. | ||||||
|  |       The post-job step removes the SSH key. [Learn more about creating and using | ||||||
|  |       encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) | ||||||
|  |   ssh-known-hosts: | ||||||
|  |     description: > | ||||||
|  |       Known hosts in addition to the user and global host key database. The public | ||||||
|  |       SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example, | ||||||
|  |       `ssh-keyscan github.com`. The public key for github.com is always implicitly added. | ||||||
|  |   ssh-strict: | ||||||
|  |     description: 'Whether to perform strict host key checking' | ||||||
|  |     default: true | ||||||
|   persist-credentials: |   persist-credentials: | ||||||
|     description: 'Whether to persist the token in the git config' |     description: 'Whether to configure the token or SSH key with the local git config' | ||||||
|     default: true |     default: true | ||||||
|   path: |   path: | ||||||
|     description: 'Relative path under $GITHUB_WORKSPACE to place the repository' |     description: 'Relative path under $GITHUB_WORKSPACE to place the repository' | ||||||
|  | @ -49,6 +63,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| Note: | Note: | ||||||
|  | - SSH support is new | ||||||
| - `persist-credentials` is new | - `persist-credentials` is new | ||||||
| - `path` behavior is different (refer [below](#path) for details) | - `path` behavior is different (refer [below](#path) for details) | ||||||
| - `submodules` was removed (error if specified; add later if needed) | - `submodules` was removed (error if specified; add later if needed) | ||||||
|  | @ -63,19 +78,54 @@ Note: | ||||||
| 
 | 
 | ||||||
| ### Persist credentials | ### Persist credentials | ||||||
| 
 | 
 | ||||||
| Persist the token in the git config (http.extraheader). This will allow users to script authenticated git commands, like `git fetch`. | The credentials will be persisted on disk. This will allow users to script authenticated git commands, like `git fetch`. | ||||||
| 
 | 
 | ||||||
| A post script will remove the credentials from the git config (cleanup for self-hosted). | A post script will remove the credentials (cleanup for self-hosted). | ||||||
| 
 | 
 | ||||||
| Users may opt-out by specifying `persist-credentials: false` | Users may opt-out by specifying `persist-credentials: false` | ||||||
| 
 | 
 | ||||||
| Note: | Note: | ||||||
| - Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance. | - Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance. | ||||||
| - The auth header (stored in the repo's git config), is scoped to all of github `http.https://github.com/.extraheader` | 
 | ||||||
|  | #### PAT | ||||||
|  | 
 | ||||||
|  | When using the `${{github.token}}` or a PAT, the token will be persisted in the local git config. The config key `http.https://github.com/.extraheader` enables an auth header to be specified on all authenticated commands `AUTHORIZATION: basic <BASE64_U:P>`. | ||||||
|  | 
 | ||||||
|  | Note: | ||||||
|  | - The auth header is scoped to all of github `http.https://github.com/.extraheader` | ||||||
|   - Additional public remotes also just work. |   - Additional public remotes also just work. | ||||||
|   - If users want to authenticate to an additional private remote, they should provide the `token` input. |   - If users want to authenticate to an additional private remote, they should provide the `token` input. | ||||||
|   - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config. |   - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config. | ||||||
|   - Users opt out of persisted credentials (`persist-credentials: false`), or can script the removal themselves (`git config --unset-all http.https://github.com/.extraheader`). | 
 | ||||||
|  | #### SSH key | ||||||
|  | 
 | ||||||
|  | The SSH key will be written to disk under the `$RUNNER_TEMP` directory. The SSH key will | ||||||
|  | be removed by the action's post-job hook. Additionally, RUNNER_TEMP is cleared by the | ||||||
|  | runner between jobs. | ||||||
|  | 
 | ||||||
|  | The SSH key must be written with strict file permissions. The SSH client requires the file | ||||||
|  | to be read/write for the user, and not accessible by others. | ||||||
|  | 
 | ||||||
|  | The user host key database (`~/.ssh/known_hosts`) will be copied to a unique file under | ||||||
|  | `$RUNNER_TEMP`. And values from the input `ssh-known-hosts` will be added to the file. | ||||||
|  | 
 | ||||||
|  | The SSH command will be overridden for the local git config: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | git config core.sshCommand 'ssh -i "$RUNNER_TEMP/path-to-ssh-key" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/path-to-known-hosts"' | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | When the input `ssh-strict` is set to `false`, the options `CheckHostIP` and `StrictHostKeyChecking` will not be overridden. | ||||||
|  | 
 | ||||||
|  | Note: | ||||||
|  | - When `ssh-strict` is set to `true` (default), the SSH option `CheckHostIP` can safely be disabled. | ||||||
|  |   Strict host checking verifies the server's public key. Therefore, IP verification is unnecessary | ||||||
|  |   and noisy. For example: | ||||||
|  |   > Warning: Permanently added the RSA host key for IP address '140.82.113.4' to the list of known hosts. | ||||||
|  | - Since GIT_SSH_COMMAND overrides core.sshCommand, temporarily set the env var when fetching the repo. When creds | ||||||
|  |   are persisted, core.sshCommand is leveraged to avoid multiple checkout steps stomping over each other. | ||||||
|  | - Modify actions/runner to mount RUNNER_TEMP to enable scripting authenticated git commands from a container action. | ||||||
|  | - Refer [here](https://linux.die.net/man/5/ssh_config) for SSH config details. | ||||||
| 
 | 
 | ||||||
| ### Fetch behavior | ### Fetch behavior | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	 eric sciple
						eric sciple