Push to GitHub from CircleCI with Deploy Key (R/W), but GitHub says the key is read-only

Question

(Note: I know that a personal access token will work, but external reasons require me to do this via an SSH Deploy Key. Both the source repo and the target repo are private.)

I need to use CircleCI to push every commit from the source repo to the target repo. Assume the repos are named source and target. I am configuring CircleCI to run my custom push script but it's saying that the key is read-only.

What I've done:

• Created a new key pair with ssh-keygen on my PC and compress the private key.
• Uploaded the public key id_rsa.pub to the target repo as a Deploy Key, with "allow push access with this key" ticked.
• Put the compressed private key in the repository Environment Variables on CircleCI
• Wrote this script:

#!/bin/bash

set -e

if [ -z "$SSH_KEY_E" ]; then
  echo "No SSH key found in environment, set it as \$SSH_KEY_E" >&2
  exit 1
fi

echo "$SSH_KEY_E" |
  base64 -d |
  gunzip -c > ~/.ssh/m.id_rsa

set -x # debug

cat >> ~/.ssh/config << EOF
Host GHMirror
  HostName github.com
  User git
  Port 22
  IdentityFile ~/.ssh/m.id_rsa
EOF
git remote add mirror GHMirror:iBug/circleci-target.git
git push mirror +master

The output log indicates that the key restored from environment is valid, but it doesn't seem like it's used to push to GitHub.

Some points I'd like to point out:

• At the beginning, I overwrote ~/.ssh/id_rsa and used directly [email protected]:iBug/target.git as the remote URL for mirror, but it didn't work, saying the key is read-only
• Then, thinking that the default key (by CircleCI) might be located at somewhere else, I changed the remote host to GHMirror and wrote this rule to ~/.ssh/config, as seen in the shell script. Still it complains that the key is read-only
• I changed the key to another path ~/.ssh/m.id_rsa, but no luck.

I have verified that everything by running the script locally, and it successfully pushed to the target repository, so there must be something on CircleCI that I'm missing.

Update 1

I added the environment variable GIT_SSH_COMMAND="ssh -vv" and got this result:

debug1: key_load_public: No such file or directory
debug1: identity file /home/circleci/.ssh/id_rsa type -1
...
debug2: key:  (0xREDACTED), agent
debug2: key: /home/circleci/.ssh/id_rsa ((nil))
debug2: key: /home/circleci/.ssh/id_dsa ((nil))
debug2: key: /home/circleci/.ssh/id_ecdsa ((nil))
debug2: key: /home/circleci/.ssh/id_ed25519 ((nil))

However, ls -l ~/.ssh/id_rsa shows that the file is there, with permission 0600.

Answer 1

I believe the problem you are experiencing is due to the ssh-agent offering the CircleCI key, which is read-only. I've hit this problem as well in the past. To debug you can use the following:

export GIT_SSH_COMMAND="ssh -vv"

This will print out details about which key is being used.

I was able to fix the problem with something like this:

# Disable the ssh-agent
export SSH_AUTH_SOCK=none
# Tell ssh to use the specific SSH key 
export GIT_SSH_COMMAND="ssh -i path/to/key"

Also make sure that you chmod 0600 path/to/key. SSH will not use keys if they are readable by other users.