Multiple deploy keys + docker build, ssh config missing

[danseely]

I'm in the same boat raised in Issue 78, and later defined in the Using the docker/build-push-action Action together with multiple Deploy Keys section of the readme. I.e., I need multiple ssh keys to be used as deploy keys for multiple Github repos, in the context of docker build.

The only difference between that and my use-case is that I'm not using the build-push-action, but manually building & pushing. I don't think that difference is related to the problem I'm seeing, but I could be wrong. I'm passing the ssh agent socket into the docker build manually like so:

- name: Build Docker image
  run: |
    DOCKER_BUILDKIT=1 docker build --ssh default=${{ env.SSH_AUTH_SOCK }} --tag our-stuff/our-stuff:tag --file our_dockerfile .

To verify, I have all 4 separate ssh public keys installed in 4 of our private repos as deploy keys, and the corresponding private keys installed in our org as CI secrets. We're running on our self-hosted runner, and using a base image we've made with some of the tools we need pre-installed.

I have my ssh setup in the action in the way defined in the README:

...
runs-on: [self-hosted]
container: /our/container/path/here:tag
steps:
- uses: actions/checkout@v3
- uses: webfactory/[email protected]
    with:
    ssh-private-key: |
        ${{ secrets.GH_DEPLOY_KEY_REPO_ONE }}
        ${{ secrets.GH_DEPLOY_KEY_REPO_TWO }}
        ${{ secrets.GH_DEPLOY_KEY_REPO_THREE }}
        ${{ secrets.GH_DEPLOY_KEY_REPO_FOUR }}

- name: Prepare git and ssh config for build context
    run: |
    mkdir root-config
    cp -r ~/.gitconfig ~/.ssh root-config/
...

And I added the relevant lines to my dockerfile:

COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config

However, I get this error on the sed command:

sed: can't read /root/.ssh/config: No such file or directory

When I add this to the workflow after the above blocks:

- name: Confirm original ssh directory
    run: |
    ls ~/.ssh

- name: Confirm copied ssh directory
  run: |
    ls root-config/.ssh

... it only shows known_hosts being present in both directories. And when I do the same ls in the dockerfile, same thing.

I feel like I'm probably looking right at the problem, but I can't see it.

[danseely]

I think I've figured this out. It seems like, in the context of the workflow, the action is placing the .gitconfig in ~/.gitconfig (which in my case resolves to /github/home/), but it's putting the ssh config file in /root/.ssh/config. So, the simple cp -r ~/.gitconfig ~/.ssh root-config/ isn't working; the ssh config isn't in ~/.ssh (which, again, is /github/home/.ssh), it's in /root/.ssh.

The solution was changing the cp command in the workflow to this:

- name: Prepare git and ssh config for build context
  run: |
    mkdir root-config
    cp -r ~/.gitconfig /root/.ssh root-config/

Then in the dockerfile, the git and ssh configs are in that root-config directory as expected.

I'm not sure how to determine whether this is due to the container I'm using for my workflow, or if it's just noted incorrectly in the docs, but I hope this is able to help anyone else that runs into this.

Leaving open in case it ends up being a pointer to a fix, I'll let the maintainer(s) handle closing as needed. Thanks for the great action!

[mpdude]

Oh noes! I lost sight of #145.

@danseely Would you mind checking if the changes over there would have helped you in the first place, and if so, help us getting that one finalized and merged?

[danseely]

Sorry, I was AFK for the U.S. holiday last week. I'll take a look at #145 this week, thanks!

[danseely]

OK added a comment over there. Tl;dr, that PR does not cover this issue.

[j-riebe]

@danseely seems like the root of your problem is located in this line. As stated in the comment above the line, the location of homePath might differ between "classic" github runners and docker based runners (as it is your case, if I understood correctly).

@mpdude would it be possible to expose the value of homePath + '/.ssh' as an output of the action? We should then be able to reference the location of the ssh config in the cp statement via env var interpolation.

[danseely]

@j-riebe yep, agreed, seems likely. I thought it was odd that however that the .gitconfig was in the directory that resolves to ~ in this context, but the .ssh directory wasn't. Maybe that's because the .gitconfig is pre-existing, and the .ssh directory is created by this action?

As far as adding output to the action, that would have helped me tremendously. Figuring out that the location of the .ssh directory was different than expected is what took me the longest to debug, and the error messages were quite unhelpful.

[mpdude]

Yes, if that helps, we can set it as an output. Looking forward to PRs!

It would be best if the PR includes documentation updates to mention the output and also explain (in the context of Docker builds?) how it is supposed to be used.

[ohbriansung]

Take a look at this: #164