Use deploy key in GitHub Actions to install dependency from private repo

Question

Dependencies in package.json:

"dependencies": {
    "my-repo": "git+ssh://github.com/org-name/my-repo.git"
  },

GitHub Actions:

name: Test
on: [push, pull_request]
jobs:
  test:
    name: Test
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Setup Node.js
        uses: actions/setup-node@v2
        with:
          node-version: 12
          registry-url: 'https://npm.pkg.github.com'
          scope: '@org-name'
      - uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.DEPLOY_KEY }}
      - name: Install dependencies
        run: yarn
      - name: Test
        run: yarn test

The DEPLOY_KEY in the GitHub Actions secrets is the private key and I've added the corresponding public key as a deploy key in the dependency repo.

I generated the key with ssh-keygen -m PEM -t rsa -b 4096 -C "ssh://github.com/org-name/my-repo.git" -f ./deploykey -q -N ""

Here's the failure I see in the GitHub Actions output:

Exit code: 128
Command: git
Arguments: ls-remote --tags --heads ssh://github.com/org-name/my-repo.git
Directory: /home/runner/work/auth-package/auth-package
Output:
Warning: Permanently added the RSA host key for IP address '140.82.112.4' to the list of known hosts.
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Really losing my mind on this one!

Answer 1

I don't know If I'm getting it right but to access to a different repo you need an access token. Therefore you need a Github Application with a private key secret. https://github.com/settings/apps

You need those three env variables in your workflow:

  - uses: actions/checkout@v2
  - name: get secrets
    env:
      PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
      APP_ID: ${{ secrets.APP_ID }}
      INSTALLATION_ID: ${{ secrets.INSTALLATION_ID }}

Then create your JWT (check your JWT here: https://jwt.io/) to create the access token via REST API

run: |
      PEM=$PRIVATE_KEY
      GITHUB_APP_ID=$APP_ID
      NOW=$( date +%s )
      IAT="${NOW}"
      EXP=$((${NOW} + 600))
      HEADER_RAW='{"alg":"RS256"}'
      HEADER=$( echo -n "${HEADER_RAW}" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
      PAYLOAD_RAW='{"iat":'"${IAT}"',"exp":'"${EXP}"',"iss":'"${GITHUB_APP_ID}"'}'
      PAYLOAD=$( echo -n "${PAYLOAD_RAW}" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
      HEADER_PAYLOAD="${HEADER}"."${PAYLOAD}"
      SIGNATURE=$( openssl dgst -sha256 -sign <(echo -n "${PEM}") <(echo -n "${HEADER_PAYLOAD}") | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
      JWT="${HEADER_PAYLOAD}"."${SIGNATURE}"

Then start your API CALL:

ACCESS_TOKEN=$(curl -sS -X POST \
      -H "Authorization: Bearer "$JWT"" \
      -H "Accept: application/vnd.github.v3+json" \
      https://github.com/api/v3/app/installations/"$INSTALLATION_ID"/access_tokens | grep -o '"token": "[^"]*' | grep -o '[^"]*$')

Then start with your Git Clone command:

git clone https://x-access-token:"$ACCESS_TOKEN"@github.com/../repo.git
      cd repo
      git config --global user.email "<email>"
      git config --global user.name "<name>"
      git branch upload
      git checkout upload
      git commit -m "update"
      git push --set-upstream origin upload

Then you can clone other repos in your current one for example. Be aware to grant the app access to the repos.