[SOLVED] Git Permission denied (publickey) when accessing server through Github Actions CI/CD

Issue

When I connect to my server through my local computer I can successfully connect to Github using ssh.

I used href="https://docs.github.com/en/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account" rel="noreferrer">this tutorial to setup the ssh keys.

However, when using Github actions I get this error:

err: [email protected]: Permission denied (publickey).
err: fatal: Could not read from remote repository.
err: 
err: Please make sure you have the correct access rights
err: and the repository exists.

This is my Github actions YML:

name: CI App to DO

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  deploy-do:
    runs-on: ubuntu-latest
    steps:
      - name: SSH to server and Deploy App
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_KEY }}
          port: ${{ secrets.SSH_PORT }}
          script: |
            cd ~/app
            git pull origin master
            npm run build
            pm2 restart next

When running ssh-add -l on the server through my local machine I get my key but when doing the same through the Github actions workflow I get:

The agent has no identities.

My server is hosted on a Digital Ocean Droplet using Ubuntu 20.04. As stated previously, this works great when connecting to my server through my local machine and doing the git pull there. I use MobaXterm for connecting to my droplet.

---

Edit: I am able to make this work when not using a passphrase.

In my local machine i'm using MobaXterm

Solution

Since the passphrase seems to be the issue, you might need to add your key to the ssh agent in your GitHub Action workflow.
See as an example "Using a SSH deploy key in GitHub Actions to access private repositories" from Matthias Pigulla, which proposes:

# .github/workflows/my-workflow.yml
# ... other config here
jobs:
    build:
        runs-on: ubuntu-18.04
        steps:
            -   uses: actions/checkout@v1

            -   name: Setup SSH Keys and known_hosts
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: |
                    mkdir -p ~/.ssh
                    ssh-keyscan github.com >> ~/.ssh/known_hosts
                    ssh-agent -a $SSH_AUTH_SOCK > /dev/null
                    ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"

            -   name: Some task that fetches dependencies
                env:
                    SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                run: ./fetch-deps.sh

But he has also defined since then actions/webfactory-ssh-agent

This action

• starts the ssh-agent,
• exports the SSH_AUTH_SOCK environment variable,
• loads a private SSH key into the agent and
• configures known_hosts for GitHub.com.

Answered By - VonC

Answer Checked By - Clifford M. (WPSolving Volunteer)