webfactory
Update README to clarify docker setup
I was implementing this using a docker build, and I ran into an issue that took me a while to debug, so wanted to add my knowledge here.
In addition to adding
# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config
to the Dockerfile, you should also utilize an ssh mount with whichever command accesses the private repo. For my case, using go, I changed
RUN go mod download
to
RUN --mount=type=ssh \
go mod download
This is in addition to the necessary changes in the github actions file.
The code I needed was linked in the README (https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh), but might be helpful to add a note in the README.
On top of the --mount=type=ssh option I needed these lines in the Dockerfile:
RUN --mount=type=ssh mkdir -p -m 0700 ~/.ssh && \
rm -rf ~/.ssh/known_hosts && \
ssh-keyscan github.com >> ~/.ssh/known_hosts
Moreover, if the user running these commands is different from root, the --mount=type=ssh option must be complemented by --mount=type=ssh,uid=X,gid=Y where X is the correct UID and Y the GID.
You may want to put GitHub fingerprints somewhere in Actions variables/secrets and use those rather then keyscanning. With ssh-keyscan you are effectively open to MITM attack if somebody happens to already be in the middle before keyscan happens.
