Git Permission denied (publickey) when accessing server through Github Actions CI/CD

Question

When I connect to my server through my local computer I can successfully connect to Github using ssh.

I used this tutorial to setup the ssh keys.

However, when using Github actions I get this error:

err: [email protected]: Permission denied (publickey).
err: fatal: Could not read from remote repository.
err: 
err: Please make sure you have the correct access rights
err: and the repository exists.

This is my Github actions YML:

name: CI App to DO

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  deploy-do:
    runs-on: ubuntu-latest
    steps:
      - name: SSH to server and Deploy App
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_KEY }}
          port: ${{ secrets.SSH_PORT }}
          script: |
            cd ~/app
            git pull origin master
            npm run build
            pm2 restart next

When running ssh-add -l on the server through my local machine I get my key but when doing the same through the Github actions workflow I get:

The agent has no identities.

My server is hosted on a Digital Ocean Droplet using Ubuntu 20.04. As stated previously, this works great when connecting to my server through my local machine and doing the git pull there. I use MobaXterm for connecting to my droplet.

---

Edit: I am able to make this work when not using a passphrase.

In my local machine i'm using MobaXterm

Answer 1

Since the passphrase seems to be the issue, you might need to add your key to the ssh agent in your GitHub Action workflow.
See as an example "Using a SSH deploy key in GitHub Actions to access private repositories" from Matthias Pigulla, which proposes:

# .github/workflows/my-workflow.yml
# ... other config here
jobs:
    build:
        runs-on: ubuntu-18.04
        steps:
            -   uses: actions/checkout@v1

            -   name: Setup SSH Keys and known_hosts
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: |
                    mkdir -p ~/.ssh
                    ssh-keyscan github.com >> ~/.ssh/known_hosts
                    ssh-agent -a $SSH_AUTH_SOCK > /dev/null
                    ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"

            -   name: Some task that fetches dependencies
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: ./fetch-deps.sh

But he has also defined since then actions/webfactory-ssh-agent

This action

• starts the ssh-agent,
• exports the SSH_AUTH_SOCK environment variable,
• loads a private SSH key into the agent and
• configures known_hosts for GitHub.com.

Answer 2

For this, you can add an extra step in your eas-pipeline.yml file after the Checkout step.

 - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false

*******************************************************************************

      - name: Reconfigure git to use HTTP authentication
        run: >
          git config --global url."https://github.com/".insteadOf
          ssh://[email protected]/
    

*******************************************************************************

Here's the original answer: https://github.com/actions/setup-node/issues/214

---

Warning March 2023:

"GitHub has updated its RSA SSH host key"

---