Setting up per site read-only deploy keys using github
Published:
Heads up! This content is more than six months old. Take some time to verify everything still works as expected.
I'm going to forget this again if I don't write it down this time. Here's the scenario I was trying to overcome:
Single server, multiple sites backed by independent repos using ssh. Each site should have its own private ssh key added to the remote repository as a deploy keys. These deploy keys can not be the user's private key to get on the server.
The solution is this:
.ssh/config
Each user can use a custom file in their .ssh folder that can
override the SSH hostname and key for any given host. Here's an
example:
Host example.github.com HostName github.com PreferredAuthentications publickey IdentityFile ~/.ssh/example-org-id_rsa
From there, any given ssh clone to the server simply has to include
a custom hostname, which you've modified to match the .ssh/config
files:
git@github.com:some_cool_repo/example.com.git
would become
git@example.github.com:some_cool_repo/example.com.git
After that the git pull and push are seamless, and the other
developers may never even need to know if you symlink the .ssh
config file itself.
But it's 2020 now...
We have better technology. If you're manually pulling your code, good for you for not using FTP, but come on. It's time to invest in hooks, and true DevOps. Start by reading up at GitHub Actions.