yesolutions/mirror-action

Host key verification failed

mochadwi opened this issue · 4 comments

mochadwi commented 
+ git config --global core.sshCommand 'ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=~/.ssh/known_hosts'
+ git remote add mirror git@gitlab.com:sampingan-mobile/dynamic-ui.git
+ [[ false != \f\a\l\s\e ]]
+ [[ true != \t\r\u\e ]]
+ eval git push -u --tags --force --prune mirror
++ git push -u --tags --force --prune mirror
Host key verification failed.

Shouldn't this line use ~/.ssh/id_rsa.pub instead of ~/.ssh/id_rsa? cmiiw

+ git config --global core.sshCommand 'ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=~/.ssh/known_hosts'

Also IMHO, it's necessary to provide GIT_SSH_PUBLIC_KEY env var as well, so this is created instead

+ chmod 600 /github/home/.ssh/id_rsa.pub // this is created, if providing GIT_SSH_PUBLIC_KEY, otherwise only the private keys: id_rsa
+ chmod 600 /github/home/.ssh/id_rsa

See my workflow logs here: https://github.com/sampingantech/dynamic-ui/runs/1255564326?check_suite_focus=true#step:4:223

mochadwi commented

Thus the GIT_USERNAME also required to provide, e.g: GIT_USERNAME: "myusername"? @spyoungtech

mochadwi commented

I'm curious with this section: https://github.com/spyoungtech/mirror-action#mirror-a-repository-using-ssh

knowns_hosts seems not working in my place, even already added both gitlab.com & github.com.

Should I also whitelist the IP/host where you host your docker image? @spyoungtech

mochadwi commented

because using GIT_SSH_NO_VERIFY_HOST: "true" fix my issue, but I'll keep this issue opened for future reader

spyoungtech commented

@mochadwi sorry for the delay in response. known_hosts is expected to be the contents of a known_hosts file, containing IP addresses and public keys, not just hostnames.

GIT_USERNAME will default to git if you're using SSH, so typically, it is not needed to provide this argument when using SSH.

Also IMHO, it's necessary to provide GIT_SSH_PUBLIC_KEY env var as well, so this is created instead

You can provide GIT_SSH_PUBLIC_KEY if you want, but mirroring can actually succeed without this (the private key inherently contains information about the public key, so it shouldn't be needed on the CI runner, as the git server can verify you anyhow)

A previous version of this action actually did require this, but it was removed (made optional) when it was brought to my attention that the public key is not actually needed.

Shouldn't this line use ~/.ssh/id_rsa.pub instead of ~/.ssh/id_rsa? cmiiw

Nope. The -i argument expects a private key, not a public key.