After update to 0.9.0: The ssh-private-key argument is empty ...

[hseeberger]

With the update of ssh-agent from 0.8.0 to 0.9.0, we are seeing The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file. in all of our repositories.

Before the update, everything worked fine. We are not using any cross-repository actions and the secret surely is configured.

[tagliala]

Before the update, everything worked fine. We are not using any cross-repository actions and the secret surely is configured.

I'm having this problem when upgrading from 0.7.0 to 0.8.0. v0.7.0 worked just fine

Run webfactory/[email protected]
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=...
SSH_AGENT_PID=...
Adding private key(s) to agent
Identity added: (stdin) ((stdin))
Key(s) added:

Run webfactory/[email protected]
  with:
    log-public-key: true
Error: The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file.

config:

    - uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.SOME_KEY }}

I wanted to bisect the action to check the commit that broke the functionality for us, but if this also happen between 0.8 and 0.9 then I'm thinking that there is something else

---

edit: it worked after cleared all the action caches

[tagliala]

Another reason is that the action may be after checkout

steps:
- uses: actions/checkout@v4
- uses: webfactory/[email protected]
+ uses: webfactory/[email protected]
   with:
     ssh-private-key: ${{ secrets.SOME_KEY }}
+ uses: actions/checkout@v4

[agluszak]

I have the same problem.

[tagliala]

I can confirm this is still randomly happening. Unable to replicate

[cswolfdev]

I'm running into this problem as well and am out of ideas. I do not have anything cached.

[turboladen]

Running into this after updating from 0.8.0 -> 0.9.0. Clearing my Actions cache didn't resolve. Moving the checkout step to before the ssh-agent check resolved.

[tagliala]

Moving the checkout step to before the ssh-agent check resolved.

I still have random failures with this approach

Screen attached:

[turboladen]

Moving the checkout step to before the ssh-agent check resolved.

Well, turns out, like others have said, that this isn't a catch-all fix. I applied this fix on another repo, then updated actions/cache@3 to actions/cache@4 and started getting the error again.

Edit/update: I poked around the open Pull Requests here and came across this change to index.js, which seems to imply ssh-agent has problems if there isn't a newline at the end of the YAML value. In my cases so far, I was seeing failures with YAML that looked like

      - name: Setup SSH
        uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.MY_KEY }}

...changing to this resolved those:

      - name: Setup SSH
        uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.MY_KEY }}

We'll see if that's a consistent workaround...

[tagliala]

      - name: Setup SSH
        uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.MY_KEY }}

We'll see if that's a consistent workaround...

Not in my case :(

Just got a random failure

[kdambekalns]

TIL: There is a separate section in the GitHub UI for "Dependabot secrets", any workflow on a PR created by Dependabot does not have access to "regular" secrets. 🙈