Closed
Description
We use an SSH key pair to support git operations. Here are some ways this can be done:
- Manually add public key (where script will run) to GitHub account (e.g.
id_rsa.pub
) - Generate dedicated keypair for this script and add that manually to GitHub
- Script generates SSH keypair and adds it to GitHub using API - if not already present due to previous run
Activity
rarkins commentedon Dec 18, 2016
I quite like option 3 because it means one less manual step using the GitHub web interface. i.e. user only needs to generate access token for designated bot account and not also mess with SSH keys if they're not familiar with them.
This would work well for most environments, e.g. the script could look for ~/.ssh/id_rsa.pub` and upload that via GitHub API the first run.
We could perhaps make it fail gracefully or with non-error warning message if the user doesn't want to grant key read/write permissions for the API. In a way then option 1 would be backwards compatible with option 3.
AWS lambda doesn't have the concept of a full user directory with
.ssh
directory, but it could pull the key pair from a secure S3 prior to run.rarkins commentedon Dec 18, 2016
Conclusion:
~/.ssh/id_rsa
for now and users will manually add that public key to GitHubLeaving this issue open for part 2
rarkins commentedon Dec 18, 2016
I realised a problem just now. I was attempting to add my public key (

id_rsa.pub
) to a bot account I'd set up, but GitHub gives me this error message:i.e. public keys are used to identify GitHub users, so you can't add it to more than one GitHub account.
This makes me more inclined to generate a custom key pair just for this tool/bot, to avoid any such conflict.
rarkins commentedon Dec 18, 2016
In theory it would be possible to generate a temporary key pair every run, then add it to the GitHub account, then remove it at the end.
One problem of course would be if the program crashes and doesn't remove the key, but GitHub's API lets you give a "title" to each key so we could name it
renovate
for example and have a first step that deletes it if found.A second problem might be latency - e.g. does it work instantly once you add it via API, or is there a delay until it's active? This needs to be tested as it would be a problem for the first run of the script regardless.
rarkins commentedon Dec 18, 2016
In that case, the logic would be approximately: