ssh-key-action/README.md

# Install SSH Key

[![Build][image-build]][link-build]
[![Windows][image-verify-windows]][link-verify-windows]
[![macOS][image-verify-macos]][link-verify-macos]
[![Ubuntu][image-verify-ubuntu]][link-verify-ubuntu]
[![Ubuntu 16.04][image-verify-ubuntu1604]][link-verify-ubuntu1604]
[![Release][image-release]][link-release]
[![License][image-license]][link-license]
[![Stars][image-stars]][link-stars]

This action installs SSH key in `~/.ssh`.

Useful for SCP, SFTP, and `rsync` over SSH in deployment script.

**Works on all [virtual environment](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#supported-runners-and-hardware-resources) -- Windows, macOS, Ubuntu and Ubuntu 16.04.**

## Usage

Add your SSH key to your product secrets by clicking `Settings` - `Secrets` - `Add a new secret` beforehand.

**NOTE:** OPENSSH format (key begins with `-----BEGIN OPENSSH PRIVATE KEY-----`) may not work due to OpenSSH version on VM. Please use PEM format (begins with `-----BEGIN RSA PRIVATE KEY-----`) instead.

```yaml
runs-on: ubuntu-latest
steps:
- name: Install SSH key
  uses: shimataro/ssh-key-action@v1
  with:
    private-key: ${{ secrets.SSH_KEY }}
    name: id_rsa # optional
    known-hosts: ${{ secrets.KNOWN_HOSTS }} # known_hosts; optional
    config: ${{ secrets.CONFIG }} # ssh_config; optional
- name: rsync over ssh
  run: rsync ./foo/ user@remote:bar/
```

See [Workflow syntax for GitHub Actions](https://help.github.com/en/articles/workflow-syntax-for-github-actions) for details.

### Install multiple keys

If you want to install multiple keys, call this action multiple times.
It is useful for port forwarding.

**NOTE:**  When this action is called multiple times, **the contents of `known-hosts` and `config` will be appended**. `private-key` must be saved as different name, by using `name` option.

```yaml
runs-on: ubuntu-latest
steps:
- name: Install SSH key of bastion
  uses: shimataro/ssh-key-action@v1
  with:
    private-key: ${{ secrets.SSH_KEY_OF_BASTION }}
    name: id_rsa-bastion
    known-hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}
    config: |
      Host bastion
        HostName xxx.xxx.xxx.xxx
        User user-of-bastion
        IdentityFile ~/.ssh/id_rsa-bastion
- name: Install SSH key of target
  uses: shimataro/ssh-key-action@v1
  with:
    private-key: ${{ secrets.SSH_KEY_OF_TARGET }}
    name: id_rsa-target
    known-hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }} # will be appended!
    config: |                                         # will be appended!
      Host target
        HostName yyy.yyy.yyy.yyy
        User user-of-target
        IdentityFile ~/.ssh/id_rsa-target
        ProxyCommand ssh -W %h:%p bastion
- name: SCP via port-forwarding
  run: scp ./foo/ target:bar/
```

## Q&A

### SSH failed even though key has been installed.

Check belows:

* `Load key "/HOME/.ssh/id_rsa": invalid format`:
    * OPENSSH format (key begins with `-----BEGIN OPENSSH PRIVATE KEY-----`) may not work.
    * Use PEM format (begins with `-----BEGIN RSA PRIVATE KEY-----`).
* `Host key verification failed.`:
    * Set `known-hosts` option or use `ssh -o StrictHostKeyChecking=no`.
    * The former is **HIGHLY** recommended for security reason.
    * I'm planning to make `known-hosts` required in v2.

### How do I use encrypted SSH key?

This action doesn't support encrypted key directly.
Here are some solutions:

* decrypting key beforehand: best bet, and works on any VM
* `sshpass` command: next best bet, but not supported on Windows
* `expect` command: be careful not to expose passphrase to console
* `SSH_ASKPASS` environment variable: might be troublesome

### Which one is the best way for transferring files, "direct SCP/SFTP/rsync" or "SCP/SFTP/rsync via bastion"?

I recommend **rsync via bastion**.
It has some advantages over other methods:

* "Rsync via bastion" doesn't require to update workflow files and `secrets` even if it is necessary to transfer files to multiple servers.
    * Other methods require to update `known-hosts` if servers have changed.
* Rsync:
    * is fastest of all.
    * does **NOT** break files even if disconnected during transferring.
    * can remove files that don't exist on server.
* SCP is [deprecated by OpenSSH](https://www.openssh.com/txt/release-8.0) due to outdated and inflexible protocol.
* Using bastion is more secure because:
    * it is not necessarily to expose SSH port on servers to public.
        * Address filtering is less effective.
        * Because Azure address range is [very wide](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#ip-addresses-of-github-hosted-runners).
        * And will be updated continuously.
    * if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion.

## License

The scripts and documentation in this project are released under the [MIT License](LICENSE)

## Changelog

See [CHANGELOG.md](CHANGELOG.md).

[image-build]: https://github.com/shimataro/ssh-key-action/workflows/Build/badge.svg?event=push&branch=v1
[link-build]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3ABuild
[image-verify-windows]: https://github.com/shimataro/ssh-key-action/workflows/Windows/badge.svg?event=push&branch=v1
[link-verify-windows]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AWindows
[image-verify-macos]: https://github.com/shimataro/ssh-key-action/workflows/macOS/badge.svg?event=push&branch=v1
[link-verify-macos]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AmacOS
[image-verify-ubuntu]: https://github.com/shimataro/ssh-key-action/workflows/Ubuntu/badge.svg?event=push&branch=v1
[link-verify-ubuntu]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AUbuntu
[image-verify-ubuntu1604]: https://github.com/shimataro/ssh-key-action/workflows/Ubuntu%2016.04/badge.svg?event=push&branch=v1
[link-verify-ubuntu1604]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3A%22Ubuntu+16.04%22
[image-release]: https://img.shields.io/github/release/shimataro/ssh-key-action.svg
[link-release]: https://github.com/shimataro/ssh-key-action/releases
[image-license]: https://img.shields.io/github/license/shimataro/ssh-key-action.svg
[link-license]: ./LICENSE
[image-stars]: https://img.shields.io/github/stars/shimataro/ssh-key-action.svg
[link-stars]: https://github.com/shimataro/ssh-key-action/stargazers
Feature/name (#74) * * "Install SSH key" -> "Install SSH Key" * * update package.json 2020-01-18 19:20:37 +08:00			`# Install SSH Key`
* first action! (#1) 2019-09-18 19:39:54 +08:00
* change workflow name (#10) 2019-09-19 06:10:37 +08:00			`[![Build][image-build]][link-build]`
Feature/badges (#52) * * use different actions for verify * * add badges for every platforms 2019-12-31 09:56:18 +08:00			`[![Windows][image-verify-windows]][link-verify-windows]`
			`[![macOS][image-verify-macos]][link-verify-macos]`
Feature/ubuntu 16.04 (#55) * * Add test of Ubuntu 16.04 * * update README * * add badge 2019-12-31 12:23:55 +08:00			`[![Ubuntu][image-verify-ubuntu]][link-verify-ubuntu]`
			`[![Ubuntu 16.04][image-verify-ubuntu1604]][link-verify-ubuntu1604]`
Feature/readme (#9) * * add badges * * add link to CHANGELOG 2019-09-19 06:05:03 +08:00			`[![Release][image-release]][link-release]`
			`[![License][image-license]][link-license]`
* add stars badge (#54) 2020-01-18 10:23:25 +08:00			`[![Stars][image-stars]][link-stars]`
Feature/readme (#9) * * add badges * * add link to CHANGELOG 2019-09-19 06:05:03 +08:00
* "install into" -> "install in" (#76) 2020-01-18 20:25:09 +08:00			This action installs SSH key in `~/.ssh`.
* first action! (#1) 2019-09-18 19:39:54 +08:00
* update README (#22) 2019-09-22 14:30:47 +08:00			Useful for SCP, SFTP, and `rsync` over SSH in deployment script.
* first action! (#1) 2019-09-18 19:39:54 +08:00
Feature/ubuntu 16.04 (#55) * * Add test of Ubuntu 16.04 * * update README * * add badge 2019-12-31 12:23:55 +08:00			`Works on all [virtual environment](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#supported-runners-and-hardware-resources) -- Windows, macOS, Ubuntu and Ubuntu 16.04.`

* first action! (#1) 2019-09-18 19:39:54 +08:00			`## Usage`

			Add your SSH key to your product secrets by clicking `Settings` - `Secrets` - `Add a new secret` beforehand.

Feature/document (#92) * * update document * * update CHANGELOG * rerun CI 2020-01-25 09:09:55 +08:00			NOTE: OPENSSH format (key begins with `-----BEGIN OPENSSH PRIVATE KEY-----`) may not work due to OpenSSH version on VM. Please use PEM format (begins with `-----BEGIN RSA PRIVATE KEY-----`) instead.
* add note about key format (#86) 2020-01-22 22:50:32 +08:00
* first action! (#1) 2019-09-18 19:39:54 +08:00			```yaml
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Install SSH key`
			`uses: shimataro/ssh-key-action@v1`
			`with:`
* secret -> secrets (#14) 2019-09-22 06:58:50 +08:00			`private-key: ${{ secrets.SSH_KEY }}`
Feature/styles (#6) * * use tab for indent * * use double quotes for string * * use camelCase for variable * * use path.join() * * add JSDoc 2019-09-18 21:55:24 +08:00			`name: id_rsa # optional`
Feature/config (#39) * * add `config` option * * test feature/config * * update lib * * update test * * update README * * update SHA on verify * * fix SHA * * fix SHA * Revert "* update SHA on verify" This reverts commit ee52bcaa275a7df5514793b9873e9a3a322b6962. * * revert refs * * fix refs 2019-12-22 18:01:05 +08:00			`known-hosts: ${{ secrets.KNOWN_HOSTS }} # known_hosts; optional`
			`config: ${{ secrets.CONFIG }} # ssh_config; optional`
* first action! (#1) 2019-09-18 19:39:54 +08:00			`- name: rsync over ssh`
Feature/known_hosts (#25) * * add "known-hosts" option * * update CHANGELOG * * update README * * update actions.yml * * update example of known-hosts * * fix message 2019-09-29 12:18:35 +08:00			`run: rsync ./foo/ user@remote:bar/`
* first action! (#1) 2019-09-18 19:39:54 +08:00			```

			`See [Workflow syntax for GitHub Actions](https://help.github.com/en/articles/workflow-syntax-for-github-actions) for details.`

Feature/append config known hosts (#47) * * append to "config" and "known_hosts" instead of overwriting * * refactor options * * add test * * fix test * * print created files twice * * print the contents of known_hosts and config * * fix revision for test * * fix revision * * add LF to known_hosts / config * * append LF to config and known_hosts * * fix test * * reject overwriting private-key and public-key * * update test (will cause error) * * revert verify.yml * * update README and CHANGELOG * * fix example in README * * update CHANGELOG 2019-12-30 07:24:22 +08:00			`### Install multiple keys`

			`If you want to install multiple keys, call this action multiple times.`
			`It is useful for port forwarding.`

Feature/document (#92) * * update document * * update CHANGELOG * rerun CI 2020-01-25 09:09:55 +08:00			NOTE: When this action is called multiple times, the contents of `known-hosts` and `config` will be appended. `private-key` must be saved as different name, by using `name` option.
Feature/append config known hosts (#47) * * append to "config" and "known_hosts" instead of overwriting * * refactor options * * add test * * fix test * * print created files twice * * print the contents of known_hosts and config * * fix revision for test * * fix revision * * add LF to known_hosts / config * * append LF to config and known_hosts * * fix test * * reject overwriting private-key and public-key * * update test (will cause error) * * revert verify.yml * * update README and CHANGELOG * * fix example in README * * update CHANGELOG 2019-12-30 07:24:22 +08:00
			```yaml
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Install SSH key of bastion`
			`uses: shimataro/ssh-key-action@v1`
			`with:`
			`private-key: ${{ secrets.SSH_KEY_OF_BASTION }}`
			`name: id_rsa-bastion`
			`known-hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}`
			`config: \|`
			`Host bastion`
			`HostName xxx.xxx.xxx.xxx`
			`User user-of-bastion`
			`IdentityFile ~/.ssh/id_rsa-bastion`
			`- name: Install SSH key of target`
			`uses: shimataro/ssh-key-action@v1`
			`with:`
			`private-key: ${{ secrets.SSH_KEY_OF_TARGET }}`
			`name: id_rsa-target`
			`known-hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }} # will be appended!`
			`config: \| # will be appended!`
			`Host target`
			`HostName yyy.yyy.yyy.yyy`
			`User user-of-target`
			`IdentityFile ~/.ssh/id_rsa-target`
			`ProxyCommand ssh -W %h:%p bastion`
			`- name: SCP via port-forwarding`
			`run: scp ./foo/ target:bar/`
			```

Feature/faq (#96) * * add FAQ * * update CHANGELOG * * update FAQ * * update FAQ * * update FAQ * * update FAQ * * add question * * update FAQ * * target -> server * * add FAQ * * fix some sendences * * fix sentense * * sending -> transferring * * update FAQ * * fix sendences * * update sentence * * fix sentences * * update sentences * * update sentence * * update sentences * * FAQ -> Q&A 2020-01-26 23:07:39 +08:00			`## Q&A`

			`### SSH failed even though key has been installed.`

			`Check belows:`

			* `Load key "/HOME/.ssh/id_rsa": invalid format`:
			* OPENSSH format (key begins with `-----BEGIN OPENSSH PRIVATE KEY-----`) may not work.
			* Use PEM format (begins with `-----BEGIN RSA PRIVATE KEY-----`).
			* `Host key verification failed.`:
			* Set `known-hosts` option or use `ssh -o StrictHostKeyChecking=no`.
			`* The former is HIGHLY recommended for security reason.`
			* I'm planning to make `known-hosts` required in v2.

			`### How do I use encrypted SSH key?`

			`This action doesn't support encrypted key directly.`
			`Here are some solutions:`

			`* decrypting key beforehand: best bet, and works on any VM`
			* `sshpass` command: next best bet, but not supported on Windows
			* `expect` command: be careful not to expose passphrase to console
			* `SSH_ASKPASS` environment variable: might be troublesome

			`### Which one is the best way for transferring files, "direct SCP/SFTP/rsync" or "SCP/SFTP/rsync via bastion"?`

			`I recommend rsync via bastion.`
			`It has some advantages over other methods:`

			* "Rsync via bastion" doesn't require to update workflow files and `secrets` even if it is necessary to transfer files to multiple servers.
			* Other methods require to update `known-hosts` if servers have changed.
			`* Rsync:`
			`* is fastest of all.`
			`* does NOT break files even if disconnected during transferring.`
			`* can remove files that don't exist on server.`
			`* SCP is [deprecated by OpenSSH](https://www.openssh.com/txt/release-8.0) due to outdated and inflexible protocol.`
			`* Using bastion is more secure because:`
			`* it is not necessarily to expose SSH port on servers to public.`
			`* Address filtering is less effective.`
			`* Because Azure address range is [very wide](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#ip-addresses-of-github-hosted-runners).`
			`* And will be updated continuously.`
			* if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion.

* first action! (#1) 2019-09-18 19:39:54 +08:00			`## License`

			`The scripts and documentation in this project are released under the [MIT License](LICENSE)`
Feature/readme (#9) * * add badges * * add link to CHANGELOG 2019-09-19 06:05:03 +08:00
			`## Changelog`

			`See [CHANGELOG.md](CHANGELOG.md).`

* update badges for v1 (#89) 2020-01-25 07:17:40 +08:00			`[image-build]: https://github.com/shimataro/ssh-key-action/workflows/Build/badge.svg?event=push&branch=v1`
* update CI URL (#104) 2020-02-07 04:54:57 +08:00			`[link-build]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3ABuild`
* update badges for v1 (#89) 2020-01-25 07:17:40 +08:00			`[image-verify-windows]: https://github.com/shimataro/ssh-key-action/workflows/Windows/badge.svg?event=push&branch=v1`
* update CI URL (#104) 2020-02-07 04:54:57 +08:00			`[link-verify-windows]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AWindows`
* update badges for v1 (#89) 2020-01-25 07:17:40 +08:00			`[image-verify-macos]: https://github.com/shimataro/ssh-key-action/workflows/macOS/badge.svg?event=push&branch=v1`
* update CI URL (#104) 2020-02-07 04:54:57 +08:00			`[link-verify-macos]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AmacOS`
* update badges for v1 (#89) 2020-01-25 07:17:40 +08:00			`[image-verify-ubuntu]: https://github.com/shimataro/ssh-key-action/workflows/Ubuntu/badge.svg?event=push&branch=v1`
* update CI URL (#104) 2020-02-07 04:54:57 +08:00			`[link-verify-ubuntu]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3AUbuntu`
* update badges for v1 (#89) 2020-01-25 07:17:40 +08:00			`[image-verify-ubuntu1604]: https://github.com/shimataro/ssh-key-action/workflows/Ubuntu%2016.04/badge.svg?event=push&branch=v1`
* update CI URL (#104) 2020-02-07 04:54:57 +08:00			`[link-verify-ubuntu1604]: https://github.com/shimataro/ssh-key-action/actions?query=workflow%3A%22Ubuntu+16.04%22`
Feature/readme (#9) * * add badges * * add link to CHANGELOG 2019-09-19 06:05:03 +08:00			`[image-release]: https://img.shields.io/github/release/shimataro/ssh-key-action.svg`
			`[link-release]: https://github.com/shimataro/ssh-key-action/releases`
			`[image-license]: https://img.shields.io/github/license/shimataro/ssh-key-action.svg`
			`[link-license]: ./LICENSE`
* add stars badge (#54) 2020-01-18 10:23:25 +08:00			`[image-stars]: https://img.shields.io/github/stars/shimataro/ssh-key-action.svg`
			`[link-stars]: https://github.com/shimataro/ssh-key-action/stargazers`