如何在GitHub Actions模块源调用链中进行身份验证和授权。

huangapple go评论67阅读模式
英文:

How to authenticate and authorize in GitHub Actions chains of module source calls

问题

I have 3 private repositories (A, B, C) with 2fa. I'm a user in the organization but I don't own it.
我有3个私有存储库(A、B、C),带有两因素身份验证(2FA)。我是组织中的用户,但我不是所有者。

I have the following chain of module calls in Terraform:
我在Terraform中有以下模块调用链:

Repo A --main.tf ---module "client" { source = "github.com/myorg/RepoB//"
Repo B --main.tf ---module "databases" { source = "github.com/myorg/RepoC//"}

When I run "terraform init" locally, I get prompted for the private key for my ssh keyfile for use for each of the repositories, in other words 3 times and everything works.
当我在本地运行“terraform init”时,我会被提示输入SSH密钥文件的私钥,以供每个存储库使用,换句话说,需要输入3次,一切正常。

When I try to execute that chain in GitHub actions, the error message is:
当我尝试在GitHub actions中执行该链时,出现以下错误消息:
Could not download module ... fatal: could not read Username for 'https://github.com'

I then changed all my references to modules from "github.com/myorg/RepoC//" to "git::ssh://myorg@github.com/RepoC//" and installed the ssh keys on the runner first via knowhosts and id_res files and later via sshagent. The error on the GitHub Action runner was:
然后,我将所有对模块的引用从“github.com/myorg/RepoC//”更改为“git::ssh://myorg@github.com/RepoC//”,并首先通过knowhosts和id_res文件以及后来通过sshagent在运行程序上安装了SSH密钥。GitHub Action运行程序上的错误是:
Cloning into '.terraform/modules/client_instance'... │ myorg@github.com: Permission denied (publickey). │ fatal: Could not read from remote repository.

When I attempted to run that locally, I didn't get prompted and it just failed with permission denied (public key)
当我尝试在本地运行时,没有提示我,只是出现了权限被拒绝(公钥)的错误。

My questions are:
我的问题是:

  1. what is the correct or preferred way to refer to modules in other repositories, even when they are in the same organization.
  2. 引用其他存储库中的模块的正确或首选方式是什么,即使它们在同一个组织中也是如此。
  3. how should the handling of ssh keys be accomplished. I tried deployment keys but may have misunderstood their use. When I set up deployment keys, I gave the repo A the private portion of the key and the repo B the public portion of the key assuming that the repo B will want to know whether repo A is authorized. That failed.
  4. 如何处理SSH密钥。我尝试了部署密钥,但可能误解了它们的用途。当我设置部署密钥时,我将私钥的部分分配给了Repo A,将公钥的部分分配给了Repo B,假设Repo B想要知道Repo A是否被授权。但是这种方法失败了。
英文:

I have 3 private repositories (A, B, C) with 2fa. I'm a user in the organization but I don't own it.
I have the following chain of module calls in Terraform:

Repo A
--main.tf
---module "client" { source = "github.com/myorg/RepoB//"

Repo B
--main.tf
---module "databases" { source = "github.com/myorg/RepoC//"

When I run "terraform init" locally, I get prompted for the private key for my ssh keyfile for use for each of the repositories, in other words 3 times and everything works.

When I try to execute that chain in GitHub actions, the error message is:

Could not download module ... fatal: could not read Username for 'https://github.com'

I then changed all my references to modules from "github.com/myorg/RepoC//" to "git::ssh://myorg@github.com/RepoC//" and installed the ssh keys on the runner first via knowhosts and id_res files and later via sshagent. The error on the GitHub Action runner was:

Cloning into '.terraform/modules/client_instance'...
│ myorg@github.com: Permission denied (publickey).
│ fatal: Could not read from remote repository.

When I attempted to run that locally, I didn't get prompted and it just failed with permission denied (public key)

My questions are:

  1. what is the correct or preferred way to refer to modules in other repositories, even when they are in the same organization.
  2. how should the handling of ssh keys be accomplished. I tried deployment keys but may have misunderstood their use. When I set up deployment keys, I gave the repo A the private portion of the key and the repo B the public portion of the key assuming that the repo B will want to know whether repo A is authorized. That failed.

答案1

得分: 0

基于Terraform / Module Sources / GitHub,你应该使用一个SSH URL

source = "git@github.com:myorg/RepoB.git"

(结尾的'/'应该不需要)

关于SSH密钥和GitHub Actions,你可以:

  1. 如果还没有的话,生成一个SSH密钥对。
  2. 将公钥添加到你的GitHub账户设置中。
  3. 在你的GitHub Actions工作流中使用webfactory/ssh-agent action来设置SSH代理与私钥,私钥应存储为GitHub仓库设置中的秘密。

以下是更新后的GitHub Actions示例工作流配置:

name: Terraform

on:
  push:
    branches:
      - main

jobs:
  terraform:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Set up SSH agent
      uses: webfactory/ssh-agent@v0.5.4
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

    - name: Set up Terraform
      uses: hashicorp/setup-terraform@v1.3.2

    - name: Terraform Init
      run: terraform init

用你的私钥所在的秘密替换SSH_PRIVATE_KEY

英文:

Based on Terraform / Module Sources / GitHub, you should use an SSH URL

source = "git@github.com:myorg/RepoB.git"

(Trailing '/' should not be needed)

Now, regarding the SSH keys and GitHub Actions, you can:

  1. Generate an SSH key pair if you haven't already.
  2. Add the public key to your GitHub account settings.
  3. Use the webfactory/ssh-agent action in your GitHub Actions workflow to set up the SSH agent with the private key, which should be stored as a secret in your GitHub repository settings.

Here's the updated sample workflow configuration for your GitHub Actions:

name: Terraform

on:
  push:
    branches:
      - main

jobs:
  terraform:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Set up SSH agent
      uses: webfactory/ssh-agent@v0.5.4
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

    - name: Set up Terraform
      uses: hashicorp/setup-terraform@v1.3.2

    - name: Terraform Init
      run: terraform init

Replace SSH_PRIVATE_KEY with the name of the secret containing your private key.

huangapple
  • 本文由 发表于 2023年5月10日 23:01:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/76219968.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定