chore(release): use deploy keys for relese#3013
Merged
nkaradzhov merged 1 commit intoredis:masterfrom Jul 8, 2025
Merged
Conversation
main branch is protected and does not allow direct pushes. the release action needs to push. branch protection rules can be bypassed for people and apps, but not github actions. one of the workarounds is to use a ruleset in which we set a deploy key see: https://github.com/orgs/community/discussions/25305\#discussioncomment-10728028
nkaradzhov
requested review from
PavelPashov,
bobymicroby,
Copilot and
htemelski-oss
There was a problem hiding this comment.
Pull Request Overview
This PR configures the release workflow to use a deploy key for SSH-based pushes to a protected main branch.
- Adds
ssh-keyinput so the checkout action can authenticate via a deploy key
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:26
- When using an SSH deploy key, it's recommended to disable the default token by setting
persist-credentials: falseon the checkout step to avoid conflicts between the GITHUB_TOKEN and your SSH key.
ssh-key: ${{ secrets.RELEASE_KEY }}
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ssh-key: ${{ secrets.RELEASE_KEY }} |
There was a problem hiding this comment.
Consider adding ssh-known-hosts: github.com (or your Git server's host) to validate the SSH host key and prevent man-in-the-middle attacks.
Suggested change
| ssh-key: ${{ secrets.RELEASE_KEY }} | |
| ssh-key: ${{ secrets.RELEASE_KEY }} | |
| ssh-known-hosts: github.com |
Member
There was a problem hiding this comment.
Not a bad idea , but if the public key is always implicitly added :
( from official docs of checkout v4)
# Known hosts in addition to the user and global host key database. The public SSH
# keys for a host may be obtained using the utility `ssh-keyscan`. For example,
# `ssh-keyscan github.com`. The public key for github.com is always implicitly
# added.
ssh-known-hosts: ''
maybe it doesn't make sense
bobymicroby
approved these changes
Jul 8, 2025
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ssh-key: ${{ secrets.RELEASE_KEY }} |
Member
There was a problem hiding this comment.
Not a bad idea , but if the public key is always implicitly added :
( from official docs of checkout v4)
# Known hosts in addition to the user and global host key database. The public SSH
# keys for a host may be obtained using the utility `ssh-keyscan`. For example,
# `ssh-keyscan github.com`. The public key for github.com is always implicitly
# added.
ssh-known-hosts: ''
maybe it doesn't make sense
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
main branch is protected and does not allow direct pushes. the release action needs to push.
branch protection rules can be bypassed for people and apps, but not github actions.
one of the workarounds is to use a ruleset in which we set a deploy key
see: https://github.com/orgs/community/discussions/25305\#discussioncomment-10728028