Jenkins pipeline ssh agent git push failes

Question

In my jenkins pipeline I can clone the repository fine, but using SSH Agent plugin to push back a tag fail. I've made sure that the deploy key at github has write access, so there seems to be some other problem...

pipeline {
   agent { docker { image 'node:8' } }

   stages {
      stage('Pull Repo') {
          steps {
            git (
                branch: 'master',
                credentialsId: 'cred-id',
                url: 'github.com:***'
            )
            sshagent(['github-omnia']) {
                sh("git tag -a \"release-2.3.${BUILD_NUMBER}\" -m \"Jenkins built ${BUILD_NUMBER}\"")
                sh("git push --tags")
            }
          }
      }
   }
}

Am I missing something?

Edit: Here's the console output for the error

[ssh-agent] Using credentials git (Access to Github-**)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ docker exec a6cee721d592b10bb94abbde0471d24a4320dcd07362affb1f18454d6ebe028d ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-TI7dNVoYszsC/agent.12
SSH_AGENT_PID=17
Running ssh-add (command line suppressed)
Identity added: /var/jenkins_home/workspace/Build-And-Deploy-***@tmp/private_key_7884642190516796613.key (/var/jenkins_home/workspace/Build-And-Deploy-***@tmp/private_key_7884642190516796613.key)
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
+ git config --global user.email jenkins@***.se
[Pipeline] sh
+ git config --global user.name Jenkins
[Pipeline] sh
+ git remote set-url origin [email protected]:***/***
[Pipeline] sh
+ git tag -a release-2.3.3 -m Jenkins built 3
[Pipeline] sh
+ git push origin --tags
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Answer 1

I was looking for a way to do this without ignoring host verification entirely, and without modifying my Jenkins machine's known_hosts since I want to use docker. I ended up with something like this:

1. In Jenkins, create a new credential of type "Secret text" (let's call it GITHUB_HOST_KEY), and set its value to be the host key, e.g.:

# gets the host for github and copies it. You can run this from
# any computer that has access to github.com (or whatever your
# git server is)
ssh-keyscan github.com | clip

2. In your Jenkinsfile, save the string to known_hosts before using sshagent. Here's my pipeline; it takes a branch called master-v5 and generates a branch master-v5-dist which contains a number of build files.

pipeline {
    agent { docker { image 'node:14' } }

    stages {
        stage('Checkout') {
            steps {
                git branch: 'master-v5',
                    url: '[email protected]:internetarchive/bookreader.git',
                    credentialsId: 'YOUR_GH_CREDENTIALS'
            }
        }
        stage('Build') { steps { sh 'npm install && npm run build' } }
        stage('Push') {
            steps {
                sh 'git config user.email "[email protected]"'
                sh 'git config user.name "Mr. Foo Bar"'
                
                sh 'git add BookReader'
                sh 'git commit -m Build files [ci skip]'

                withCredentials([string(credentialsId: 'GITHUB_HOST_KEY', variable: 'GITHUB_HOST_KEY')]) {
                    sh 'mkdir -p ~/.ssh && echo "$GITHUB_HOST_KEY" >> ~/.ssh/known_hosts'
                }
                sshagent (credentials: ['YOUR_GH_CREDENTIALS']) {
                    sh 'git push -f origin HEAD:master-v5-dist'
                }
            }
        }
    }
}

This ensures you're using a trusted host key, since you got the host key (presumably) at a time when you were certain you were connected to the real github.com .