Github actions - how to deploy to remote server using SSH

ssh github-actions
felixmosh picture felixmosh · Mar 1, 2020 · Viewed 8.8k times · Source

I've a staging server on DO.

I want to build & deploy my node app to it.

name: Build & Deploy
on:
  push:
    tags:
      - 'v1.*.0'
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Create SSH key
        run: |
          mkdir -p ~/.ssh/
          echo "$DO_GITHUB_PRIVATE_KEY" > ../github_do.key
          sudo chmod 600 ../github_do.key
          ssh-keyscan -H ${{secrets.DEPLOY_SERVER}} > ~/.ssh/known_hosts
        shell: bash
        env:
          DO_GITHUB_PRIVATE_KEY: ${{secrets.DO_GITHUB_PRIVATE_KEY}}
      - uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - name: Install Packages
        run: yarn install --frozen-lockfile
      - name: Build artifacts
        env:
          DEPLOY_SSH_KEY_PATH: ${{ github.workspace }}/../github_do.key
        run: |
          yarn shipit production fast-deploy

What i've done is to generate a new SSH private & public keys.

The private key I've saved inside DO_GITHUB_PRIVATE_KEY github secret.

The public key I've added to authorized_keys on my staging server.

When the action is triggered, it fails on:

@ v***.256.0
Create release path "/home/***/***/releases/2020-03-0***-v***.256.0"
Running "mkdir -p /home/***/***/releases/2020-03-0***-v***.256.0" on host "***".
@***-err ***@***: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
'fast-deploy:updateRemote' errored after ***.32 s
Error: Command failed: ssh -i /home/runner/work/***/***/../github_do.key ***@*** "mkdir -p /home/***/***/releases/2020-03-0***-v***.256.0"

Answer

felixmosh picture felixmosh · Mar 1, 2020

I've solved it! Apparently keys were protected with passphrase 🤯.

This is the whole process:

  1. Genereate new keys

ssh-keygen -t rsa -b 4096 -C "user@host" -q -N ""

  1. Update your host's authorized_keys

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@host

  2. Enter the server & run

ssh-keyscan host

  1. Copy the output to github secret (lets call it SSH_KNOWN_HOSTS)
  2. Copy the private key to a github secret (lets call it SSH_PRIVATE_KEY)

In your workflow.yml file

#workflow.yaml
...
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Create SSH key
        run: |
          mkdir -p ~/.ssh/
          echo "$SSH_PRIVATE_KEY" > ../private.key
          sudo chmod 600 ../private.key
          echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
        shell: bash
        env:
          SSH_PRIVATE_KEY: ${{secrets.SSH_PRIVATE_KEY}}
          SSH_KNOWN_HOSTS: ${{secrets.SSH_KNOWN_HOSTS}}
          SSH_KEY_PATH: ${{ github.workspace }}/../private.key

Then you can use ssh with ssh -i $SSH_KEY_PATH user@host

Hope this will save few hours to someone :]

Edit

Answer to comments (how to update github secrets)

In order add github secrets you have 2 options:

  1. Via GitHub ui, https://github.com/{user}/{repo}/settings/secrets/
  2. Via GitHub API, I'm using github-secret-dotenv lib to sync my secrets with my local .env file (pre action trigger)

Related questions

How can I extract secrets using GitHub Actions?

I have a fairly basic scenario. I made a dedicated ssh key for this purpose and added it to my repository secrets. Code gets pushed to master GitHub action uploads it to server using ssh by doing echo "${{ secrets.SSH_…

Read More
ssh "permissions are too open" error

I had a problem with my mac where I couldn't save any kind of file on the disk anymore. I had to reboot OSX lion and reset the permissions on files and acls. But now when I want to commit …

Read More
How to download a file from server using SSH?

I need to download a file from server to my desktop. (UBUNTU 10.04) I don't have a web access to the server, just ssh. If it helps, my OS is Mac OS X and iTerm 2 as a terminal.

Read More