From 876298f58bb42ea558c6ee75557fc34192729552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrique=20Louren=C3=A7o?= Date: Tue, 17 Mar 2026 13:20:44 +0000 Subject: [PATCH 1/4] chore(#868hja40e): fix cve, migrate to npm and bump node version --- .github/workflows/demo.yml | 50 +++++++++++----------- README.md | 2 +- action.yml | 24 +++++------ cleanup.js | 6 +-- index.js | 9 ++-- package-lock.json | 87 ++++++++++++++++++++++++++++++++++++++ package.json | 6 ++- yarn.lock | 13 ------ 8 files changed, 137 insertions(+), 60 deletions(-) create mode 100644 package-lock.json delete mode 100644 yarn.lock diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml index 5fb24b6..a909643 100644 --- a/.github/workflows/demo.yml +++ b/.github/workflows/demo.yml @@ -1,28 +1,30 @@ on: [push, pull_request] jobs: - single_key_demo: - strategy: - matrix: - os: [ubuntu-latest, macOS-latest] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v1 - - name: Setup key - uses: ./ - with: - ssh-private-key: | - ${{ secrets.DEMO_KEY }} - ${{ secrets.DEMO_KEY_2 }} + single_key_demo: + strategy: + matrix: + os: [ubuntu-latest, macOS-latest] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v6 - multiple_keys_demo: - strategy: - matrix: - os: [ubuntu-latest, macOS-latest] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v1 - - name: Setup key - uses: ./ - with: - ssh-private-key: ${{ secrets.DEMO_KEY }} + - name: Setup key + uses: ./ + with: + ssh-private-key: | + ${{ secrets.DEMO_KEY }} + ${{ secrets.DEMO_KEY_2 }} + + multiple_keys_demo: + strategy: + matrix: + os: [ubuntu-latest, macOS-latest] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v6 + + - name: Setup key + uses: ./ + with: + ssh-private-key: ${{ secrets.DEMO_KEY }} diff --git a/README.md b/README.md index 18e26de..080fb20 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ To actually grant the SSH key access, you can – on GitHub – use at least two As a note to my future self, in order to work on this repo: * Clone it -* Run `yarn install` to fetch dependencies +* Run `npm install` to fetch dependencies * _hack hack hack_ * `node index.js`. Inputs are passed through `INPUT_` env vars with their names uppercased. Use `env "INPUT_SSH-PRIVATE-KEY=\`cat file\`" node index.js` for this action. * Run `npm run build` to update `dist/*`, which holds the files actually run diff --git a/action.yml b/action.yml index e43c44f..b26a5b3 100644 --- a/action.yml +++ b/action.yml @@ -1,15 +1,15 @@ -name: 'webfactory/ssh-agent' -description: 'Run `ssh-agent` and load an SSH key to access other private repositories' +name: webfactory/ssh-agent +description: Run `ssh-agent` and load an SSH key to access other private repositories inputs: - ssh-private-key: - description: 'Private SSH key to register in the SSH agent' - required: true - ssh-auth-sock: - description: 'Where to place the SSH Agent auth socket' + ssh-private-key: + description: Private SSH key to register in the SSH agent + required: true + ssh-auth-sock: + description: Where to place the SSH Agent auth socket runs: - using: 'node12' - main: 'dist/index.js' - post: 'dist/cleanup.js' + using: node24 + main: dist/index.js + post: dist/cleanup.js branding: - icon: loader - color: 'yellow' + icon: loader + color: yellow diff --git a/cleanup.js b/cleanup.js index f90cddd..79b9993 100644 --- a/cleanup.js +++ b/cleanup.js @@ -3,9 +3,9 @@ const { execSync } = require('child_process') try { // Kill the started SSH agent - console.log('Stopping SSH agent') + core.info('Stopping SSH agent') execSync('kill ${SSH_AGENT_PID}', { stdio: 'inherit' }) } catch (error) { - console.log(error.message); - console.log('Error stopping the SSH agent, proceeding anyway'); + core.warning(error.message); + core.warning('Error stopping the SSH agent, proceeding anyway'); } diff --git a/index.js b/index.js index 7ee6fe7..3328195 100644 --- a/index.js +++ b/index.js @@ -3,7 +3,6 @@ const child_process = require('child_process'); const fs = require('fs'); try { - const home = process.env['HOME']; const homeSsh = home + '/.ssh'; @@ -15,12 +14,12 @@ try { return; } - console.log(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); + core.info(`Adding GitHub.com keys to ${homeSsh}/known_hosts`); fs.mkdirSync(homeSsh, { recursive: true }); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n'); fs.appendFileSync(`${homeSsh}/known_hosts`, '\ngithub.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==\n'); - console.log("Starting ssh-agent"); + core.info("Starting ssh-agent"); const authSock = core.getInput('ssh-auth-sock'); let sshAgentOutput = '' if (authSock && authSock.length > 0) { @@ -38,12 +37,12 @@ try { } } - console.log("Adding private key to agent"); + core.info("Adding private key to agent"); privateKey.split(/(?=-----BEGIN)/).forEach(function(key) { child_process.execSync('ssh-add -', { input: key.trim() + "\n" }); }); - console.log("Keys added:"); + core.info("Keys added:"); child_process.execSync('ssh-add -l', { stdio: 'inherit' }); } catch (error) { diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..3b04bf8 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,87 @@ +{ + "name": "webfactory-action-ssh-agent", + "version": "0.1.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "webfactory-action-ssh-agent", + "version": "0.1.0", + "license": "MIT", + "devDependencies": { + "@actions/core": "^3.0.0", + "@zeit/ncc": "^0.22.3" + } + }, + "node_modules/@actions/core": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz", + "integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@actions/exec": "^3.0.0", + "@actions/http-client": "^4.0.0" + } + }, + "node_modules/@actions/exec": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz", + "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@actions/io": "^3.0.2" + } + }, + "node_modules/@actions/http-client": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz", + "integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==", + "dev": true, + "license": "MIT", + "dependencies": { + "tunnel": "^0.0.6", + "undici": "^6.23.0" + } + }, + "node_modules/@actions/io": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz", + "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==", + "dev": true, + "license": "MIT" + }, + "node_modules/@zeit/ncc": { + "version": "0.22.3", + "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.22.3.tgz", + "integrity": "sha512-jnCLpLXWuw/PAiJiVbLjA8WBC0IJQbFeUwF4I9M+23MvIxTxk5pD4Q8byQBSPmHQjz5aBoA7AKAElQxMpjrCLQ==", + "deprecated": "@zeit/ncc is no longer maintained. Please use @vercel/ncc instead.", + "dev": true, + "license": "MIT", + "bin": { + "ncc": "dist/ncc/cli.js" + } + }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, + "node_modules/undici": { + "version": "6.24.1", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz", + "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=18.17" + } + } + } +} diff --git a/package.json b/package.json index bb68cef..3c9c0c8 100644 --- a/package.json +++ b/package.json @@ -6,9 +6,11 @@ "main": "index.js", "author": "webfactory GmbH ", "license": "MIT", + "dependencies": { + "@actions/core": "^3.0.0" + }, "devDependencies": { - "@actions/core": "^1.2.4", - "@zeit/ncc": "^0.20.5" + "@zeit/ncc": "^0.22.3" }, "scripts": { "build": "node scripts/build.js" diff --git a/yarn.lock b/yarn.lock deleted file mode 100644 index 83381c3..0000000 --- a/yarn.lock +++ /dev/null @@ -1,13 +0,0 @@ -# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. -# yarn lockfile v1 - - -"@actions/core@^1.2.4": - version "1.2.6" - resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09" - integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA== - -"@zeit/ncc@^0.20.5": - version "0.20.5" - resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.20.5.tgz#a41af6e6bcab4a58f4612bae6137f70bce0192e3" - integrity sha512-XU6uzwvv95DqxciQx+aOLhbyBx/13ky+RK1y88Age9Du3BlA4mMPCy13BGjayOrrumOzlq1XV3SD/BWiZENXlw== From d4f2ab0fb97f77b67ed733fa004f4516ba1a96dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrique=20Louren=C3=A7o?= Date: Tue, 17 Mar 2026 13:22:17 +0000 Subject: [PATCH 2/4] fix: update package-lock.json to move dependencies to the correct section and remove unnecessary dev flags --- package-lock.json | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3b04bf8..1895fcf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,8 +8,10 @@ "name": "webfactory-action-ssh-agent", "version": "0.1.0", "license": "MIT", + "dependencies": { + "@actions/core": "^3.0.0" + }, "devDependencies": { - "@actions/core": "^3.0.0", "@zeit/ncc": "^0.22.3" } }, @@ -17,7 +19,6 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz", "integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==", - "dev": true, "license": "MIT", "dependencies": { "@actions/exec": "^3.0.0", @@ -28,7 +29,6 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz", "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==", - "dev": true, "license": "MIT", "dependencies": { "@actions/io": "^3.0.2" @@ -38,7 +38,6 @@ "version": "4.0.0", "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz", "integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==", - "dev": true, "license": "MIT", "dependencies": { "tunnel": "^0.0.6", @@ -49,7 +48,6 @@ "version": "3.0.2", "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz", "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==", - "dev": true, "license": "MIT" }, "node_modules/@zeit/ncc": { @@ -67,7 +65,6 @@ "version": "0.0.6", "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", - "dev": true, "license": "MIT", "engines": { "node": ">=0.6.11 <=0.7.0 || >=0.7.3" @@ -77,7 +74,6 @@ "version": "6.24.1", "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz", "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==", - "dev": true, "license": "MIT", "engines": { "node": ">=18.17" From d44584c0500ab18af71c5bb7a2b16ac6c6911b41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrique=20Louren=C3=A7o?= Date: Tue, 17 Mar 2026 13:27:09 +0000 Subject: [PATCH 3/4] fix: add missing name field to demo workflow --- .github/workflows/demo.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml index a909643..5b1b64b 100644 --- a/.github/workflows/demo.yml +++ b/.github/workflows/demo.yml @@ -1,3 +1,5 @@ +name: Demo + on: [push, pull_request] jobs: From 9384c3135f319fc4aa16f4a4a7b86d6097c548ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrique=20Louren=C3=A7o?= Date: Tue, 17 Mar 2026 13:28:15 +0000 Subject: [PATCH 4/4] fix: update event triggers in demo workflow to specify branches for push --- .github/workflows/demo.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml index 5b1b64b..26486df 100644 --- a/.github/workflows/demo.yml +++ b/.github/workflows/demo.yml @@ -1,6 +1,10 @@ name: Demo -on: [push, pull_request] +on: + push: + branches: + - master + pull_request: jobs: single_key_demo: