Fragmented Thought

Setting up per site read-only deploy keys using github

By

Published

Lance Gliser

Heads up! This content is more than six months old. Take some time to verify everything still works as expected.

I'm going to forget this again if I don't write it down this time. Here's the scenario I was trying to overcome:

Single server, multiple sites backed by independent repos using ssh. Each site should have its own private ssh key added to the remote repository as a deploy keys. These deploy keys can not be the user's private key to get on the server.

The solution is this:

.ssh/config

Each user can use a custom file in their .ssh folder that can override the SSH hostname and key for any given host. Here's an example:

Host example.github.com
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/example-org-id_rsa

From there, any given ssh clone to the server simply has to include a custom hostname, which you've modified to match the .ssh/config files:

git@github.com:some_cool_repo/example.com.git

would become

git@example.github.com:some_cool_repo/example.com.git

After that the git pull and push are seamless, and the other developers may never even need to know if you symlink the .ssh config file itself.

But it's 2020 now...

We have better technology. If you're manually pulling your code, good for you for not using FTP, but come on. It's time to invest in hooks, and true DevOps. Start by reading up at GitHub Actions.