Add secret support for SSH key_data
#1620
Open
+29
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I've modified `key_data` under `ssh` to read from secrets. This is backwards compatible with the insecure method of storing directly in the deploy.yml. I limited the documentation to only showing the secure way since there is no reason to suggest insecure methods.
djmb
reviewed
Aug 11, 2025
| # a raw private key in PEM format. | ||
| key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ] | ||
| # An array of strings, with each element of the array being a secret name. | ||
| key_data: |
There was a problem hiding this comment.
If we use key_data: SSH_PRIVATE_KEY as the format for reading from secrets, then we can avoid needing to check the contents of the string array below.
There was a problem hiding this comment.
That doesn't support multiple keys which is nice to have. key_data is also being passed to something that expects an array.
There was a problem hiding this comment.
@djmb any update? Would love to get this merged!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've modified
key_dataundersshto read from secrets. This is backwards compatible with the insecure method of storing directly in the deploy.yml. I limited the documentation to only showing the secure way since there is no reason to suggest insecure methods.