Many administrators would love to restrict cloning and pushing to GitHub repos to certain IPs and auto-expiring keys. GitHub provides that functionality out of the box, but it is quite complicated to setup and maintain:
If we had a way to automate all steps by just creating an issue - the ssh certificate authority feature would have a much higher chance to be used.
- Configure your org to use a ssh certificate authority
- Create a copy of this repository template in that organization
-
Set your CA private key as
SSH_CERTIFICATEsecret -
Create an issue with the
Sign ssh keyissue template which will trigger the issue ops sign ssh key workflow
- Profit
In a first iteration, we experimented with generating ssh keys from scratch and send them encrypted to the user. We abandoned this idea for signing already uploaded ssh keys. A leftover from our experiments is an IssueOps encryption workflow that can be triggered by using the Encrypt and share content issue template and encrypts any content in the issue description with the public ssh keys of the specified recipient (with a comment how to decrypt):
For encryption/decryption, the portable, lightweight encryption tool age is used, which could either be used directly from this repo template (Windows, Linux, Mac) or build/installed from scratch.
For GitHub Winterfest - we designed a third IssueOps workflow that is very similar to the encryption based one just that it always assumes the issue opener to be the receiver and a configurable secret WINTERFEST_SECRET is used as encrypted payload. It also comes with a festive issue template.
Have fun trying it out.