actions/ssh-action
1
0
Fork 0
mirror of https://github.com/appleboy/ssh-action.git synced 2025-04-07 19:21:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:master
Branches Tags
actions:master
actions:346
actions:testing
actions:v1.2.2
actions:v1
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.1.10
actions:v0.1.9
actions:v0.1.8
actions:v0.1.7
actions:v0.1.6
actions:v0.1.5
actions:v0.1.4
actions:v0.1.3
actions:v0.1.2
actions:v0.1.1
actions:v0.1.0
actions:v0.0.9
actions:v0.0.8
actions:v0.0.7
actions:v0.0.6
actions:v0.0.5
actions:v0.0.4
actions:v0.0.3
actions:v0.0.2
actions:v0.0.1
..
compare: actions:v1.2.1
Branches Tags
actions:master
actions:346
actions:testing
actions:v1.2.2
actions:v1
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.1.10
actions:v0.1.9
actions:v0.1.8
actions:v0.1.7
actions:v0.1.6
actions:v0.1.5
actions:v0.1.4
actions:v0.1.3
actions:v0.1.2
actions:v0.1.1
actions:v0.1.0
actions:v0.0.9
actions:v0.0.8
actions:v0.0.7
actions:v0.0.6
actions:v0.0.5
actions:v0.0.4
actions:v0.0.3
actions:v0.0.2
actions:v0.0.1

No commits in common. "master" and "v1.2.1" have entirely different histories.
master ... v1.2.1

8 changed files with 224 additions and 258 deletions
Show stats Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1.2.2
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}

32
.github/workflows/stable.yml vendored
View file

@ -31,7 +31,7 @@ jobs:
sleep 2
- name: ssh by username and password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -43,7 +43,7 @@ jobs:
whoami
- name: ssh commands from a file
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -95,7 +95,7 @@ jobs:
sleep 2
- name: ssh by private key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -104,7 +104,7 @@ jobs:
script: whoami
- name: wrong password but correct key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -114,7 +114,7 @@ jobs:
script: whoami
- name: correct password but wrong key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -167,7 +167,7 @@ jobs:
sleep 2
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -179,7 +179,7 @@ jobs:
ls -al
- name: missing ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
continue-on-error: true
with:
host: ${{ env.REMOTE_HOST }}
@ -192,7 +192,7 @@ jobs:
# https://github.com/appleboy/ssh-action/issues/75#issuecomment-668314271
- name: Multiline SSH commands interpreted as single lines
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -269,7 +269,7 @@ jobs:
# https://github.com/appleboy/ssh-action/issues/85
- name: Deployment to multiple hosts with different ports
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: "${{ env.REMOTE_HOST_01 }}:2222,${{ env.REMOTE_HOST_02 }}:2222"
username: linuxserver.io
@ -322,7 +322,7 @@ jobs:
sleep 2
- name: testing id_ed25519 key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -375,7 +375,7 @@ jobs:
sleep 2
- name: testing id_ed25519 key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io
@ -386,7 +386,7 @@ jobs:
ls -al
- name: pass environment
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
env:
FOO: "BAR"
with:
@ -400,7 +400,7 @@ jobs:
echo "I am $BAR, thanks"
- name: pass multiple environment
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
env:
FOO: "BAR"
BAR: "FOO"
@ -419,7 +419,7 @@ jobs:
echo "port: $PORT"
- name: custom envs format
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
env:
FOO: "BAR"
AAA: "BBB"
@ -437,7 +437,7 @@ jobs:
echo "I am $TEST_AAA, thanks"
- name: pass all ENV variables to script
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
env:
INPUT_FOO: "BAR"
INPUT_AAA: "BBB"
@ -454,7 +454,7 @@ jobs:
echo "$GITHUB_REF"
- name: switch to root user
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ env.REMOTE_HOST }}
username: linuxserver.io

2
.goreleaser.yaml
View file

@ -24,5 +24,5 @@ changelog:
order: 4
- title: "Documentation updates"
regexp: ^.*?docs?(\(.+\))??!?:.+$
order: 5
order: 4
- title: Others

69
README.md
View file

@ -1,18 +1,18 @@
# 🚀 SSH for GitHub Actions
English | [繁體中文](./README.zh-tw.md) | [简体中文](./README.zh-cn.md)
[繁體中文](./README.zh-tw.md) | [简体中文](./README.zh-cn.md)
A [GitHub Action](https://github.com/features/actions) for executing remote SSH commands.
[GitHub Action](https://github.com/features/actions) for executing remote SSH commands.
![ssh workflow](./images/ssh-workflow.png)
[![testing main branch](https://github.com/appleboy/ssh-action/actions/workflows/main.yml/badge.svg)](https://github.com/appleboy/ssh-action/actions/workflows/main.yml)
This project is built with [Golang](https://go.dev) and [drone-ssh](https://github.com/appleboy/drone-ssh). 🚀
This project is built using [Golang](https://go.dev) and [drone-ssh](https://github.com/appleboy/drone-ssh). 🚀
## Input variables
Refer to [action.yml](./action.yml) for more detailed information.
See [action.yml](./action.yml) for more detailed information.
| Input Parameter | Description | Default Value |
| ------------------------- | ---------------------------------------------------------------------------------------- | ------------- |
@ -22,9 +22,9 @@ Refer to [action.yml](./action.yml) for more detailed information.
| username | SSH username | |
| password | SSH password | |
| protocol | SSH protocol version (tcp, tcp4, tcp6) | tcp |
| sync | Enable synchronous execution if multiple hosts are specified | false |
| sync | Enable synchronous execution if multiple hosts | false |
| use_insecure_cipher | Include more ciphers with use_insecure_cipher | false |
| cipher | Allowed cipher algorithms. If unspecified, sensible defaults are used | |
| cipher | Allowed cipher algorithms. If unspecified, a sensible default | |
| timeout | Timeout duration for SSH to host | 30s |
| command_timeout | Timeout duration for SSH command | 10m |
| key | Content of SSH private key. e.g., raw content of ~/.ssh/id_rsa | |
@ -44,14 +44,11 @@ Refer to [action.yml](./action.yml) for more detailed information.
| proxy_use_insecure_cipher | Include more ciphers with use_insecure_cipher for the proxy | false |
| script | Execute commands | |
| script_path | Execute commands from a file | |
| envs | Pass environment variables to the shell script | |
| envs | Pass environment variables to shell script | |
| envs_format | Flexible configuration of environment value transfer | |
| debug | Enable debug mode | false |
| allenvs | Pass the environment variables with prefix value of `GITHUB_` and `INPUT_` to the script | false |
| request_pty | Request a pseudo-terminal from the server | false |
| curl_insecure | Allow curl to connect to SSL sites without certificates | false |
**Note:** Users can add `set -e` in their shell script to achieve similar functionality to the removed `script_stop` option.
## Usage
@ -66,7 +63,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: linuxserver.io
@ -89,9 +86,9 @@ linuxserver.io
### Setting up a SSH Key
Follow the steps below to create and use SSH Keys.
It is best practice to create SSH Keys on your local machine, not on a remote machine.
Log in with the username specified in GitHub Secrets and generate an RSA Key-Pair:
Make sure to follow the below steps while creating SSH Keys and using them.
The best practice is create the SSH Keys on local machine not remote machine.
Login with username specified in Github Secrets. Generate a RSA Key-Pair:
### Generate rsa key
@ -105,7 +102,7 @@ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```
Add the newly generated key to the Authorized keys. Read more about authorized keys [here](https://www.ssh.com/ssh/authorized_keys/).
Add newly generated key into Authorized keys. Read more about authorized keys [here](https://www.ssh.com/ssh/authorized_keys/).
### Add rsa key into Authorized keys
@ -119,18 +116,18 @@ cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
cat .ssh/id_ed25519.pub | ssh b@B 'cat >> .ssh/authorized_keys'
```
Copy the Private Key content and paste it into GitHub Secrets.
Copy Private Key content and paste in Github Secrets.
### Copy rsa Private key
Before copying the private key, install the `clip` command as shown below:
Before copying the private key, install `clip` command as shown below:
```bash
# Ubuntu
sudo apt-get install xclip
```
Copy the private key:
copy the private key:
```bash
# macOS
@ -139,8 +136,6 @@ pbcopy < ~/.ssh/id_rsa
xclip < ~/.ssh/id_rsa
```
Starting from and including the comment section `-----BEGIN OPENSSH PRIVATE KEY-----` and ending at and including the comment section `-----END OPENSSH PRIVATE KEY-----`, copy the private key and paste it into GitHub Secrets.
### Copy ed25519 Private key
```bash
@ -150,9 +145,9 @@ pbcopy < ~/.ssh/id_ed25519
xclip < ~/.ssh/id_ed25519
```
See detailed information about [SSH login without a password](http://www.linuxproblem.org/art_9.html).
See the detail information about [SSH login without password](http://www.linuxproblem.org/art_9.html).
**Note**: Depending on your version of SSH, you might also need to make the following changes:
**A note** from one of our readers: Depending on your version of SSH you might also have to do the following changes:
- Put the public key in `.ssh/authorized_keys2`
- Change the permissions of `.ssh` to 700
@ -166,13 +161,13 @@ If you are currently using OpenSSH and are getting the following error:
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey]
```
Ensure that your chosen key algorithm is supported. On Ubuntu 20.04 or later, you must explicitly allow the use of the ssh-rsa algorithm. Add the following line to your OpenSSH daemon file (either `/etc/ssh/sshd_config` or a drop-in file under `/etc/ssh/sshd_config.d/`):
Make sure that your key algorithm of choice is supported. On Ubuntu 20.04 or later you must explicitly allow the use of the ssh-rsa algorithm. Add the following line to your OpenSSH daemon file (which is either `/etc/ssh/sshd_config` or a drop-in file under `/etc/ssh/sshd_config.d/`):
```bash
CASignatureAlgorithms +ssh-rsa
```
Alternatively, `ed25519` keys are accepted by default in OpenSSH. You can use this instead of rsa if needed:
Alternatively, `ed25519` keys are accepted by default in OpenSSH. You could use this instead of rsa if needed:
```bash
ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
@ -184,7 +179,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -197,7 +192,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: executing remote ssh commands using ssh key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -210,7 +205,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: multiple command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -227,7 +222,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: file commands
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -240,7 +235,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com,bar.com"
@ -258,7 +253,7 @@ The default value of `port` is `22`.
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com:1234,bar.com:5678"
@ -273,7 +268,7 @@ The default value of `port` is `22`.
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: "foo.com,bar.com"
+ sync: true
@ -289,7 +284,7 @@ The default value of `port` is `22`.
```diff
- name: pass environment
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
+ env:
+ FOO: "BAR"
+ BAR: "FOO"
@ -336,7 +331,7 @@ Host FooServer
```diff
- name: ssh proxy command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -359,7 +354,7 @@ It is not uncommon for files to leak from backups or decommissioned hardware, an
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -385,7 +380,7 @@ Now you can adjust you config:
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -403,7 +398,7 @@ Now you can adjust you config:
See the [issue comment](https://github.com/appleboy/ssh-action/issues/31#issuecomment-1006565847) about interactive vs non interactive shell. Thanks @kocyigityunus for the solution.
If you are running a command in a non-interactive shell, like ssh-action, on many Linux distros,
Basically, if you are running a command in a non interactive shell, like ssh-action, on many linux distros,
`/etc/bash.bashrc` file has a specific command that returns only, so some of the files didn't run and some specific commands doesn't add to path,
@ -418,7 +413,7 @@ If you are running a command in a non-interactive shell, like ssh-action, on man
[ -z "$PS1" ] && return`
```
comment out the line that returns early, and everything should work fine. Alternatively, you can use the real paths of the commands you want to use.
just comment out the line that returns early and everything should work fine, or you can use the real paths of the commands that you would like to use.
## Contributing

154
README.zh-cn.md
View file

@ -1,8 +1,8 @@
# 🚀 用于 GitHub Actions 的 SSH
[English](./README.md) | [繁體中文](./README.zh-tw.md) | 简体中文
[English](./README.md) | [繁體中文](./README.zh-tw.md)
一个用于执行远程 SSH 命令的 [GitHub Action](https://github.com/features/actions)。
[GitHub Action](https://github.com/features/actions) 用于执行远程 SSH 命令
![ssh workflow](./images/ssh-workflow.png)
@ -12,7 +12,7 @@
## 输入变量
有关更详细的信息,请参阅 [action.yml](./action.yml)。
更详细的信息,请参考 [action.yml](./action.yml)。
| 输入参数 | 描述 | 默认值 |
| ------------------------- | ----------------------------------------------------- | ------ |
@ -22,9 +22,9 @@
| username | SSH 用户名 | |
| password | SSH 密码 | |
| protocol | SSH 协议版本tcp, tcp4, tcp6 | tcp |
| sync | 如果指定了多个主机,则启用同步执行 | false |
| sync | 如果有多个主机,启用同步执行 | false |
| use_insecure_cipher | 使用不安全的密码算法 | false |
| cipher | 允许的密码算法。如果未指定,则使用适当的默认值 | |
| cipher | 允许的密码算法。如果未指定,则使用适当的算法 | |
| timeout | SSH 连接到主机的超时时间 | 30s |
| command_timeout | SSH 命令的超时时间 | 10m |
| key | SSH 私钥的内容,例如 ~/.ssh/id_rsa 的原始内容 | |
@ -49,13 +49,10 @@
| debug | 启用调试模式 | false |
| allenvs | 将带有 `GITHUB_``INPUT_` 前缀的环境变量传递给脚本 | false |
| request_pty | 请求伪终端 | false |
| curl_insecure | 在 curl 中使用不安全的证书验证 | false |
**注意:** 用户可以在他们的 shell 脚本中添加 `set -e` 以实现类似于已删除的 `script_stop` 选项的功能。
## 使用方法
执行远程 SSH 命令
执行远程 SSH 命令
```yaml
name: remote ssh command
@ -66,22 +63,22 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: linuxserver.io
username: ${{ secrets.USERNAME }}
password: ${{ secrets.PASSWORD }}
port: ${{ secrets.PORT }}
script: whoami
```
输出
画面输出
```sh
======CMD======
whoami
======END======
linuxserver.io
out: ***
===============================================
✅ Successfully executed commands to all hosts.
===============================================
@ -89,20 +86,18 @@ linuxserver.io
### 设置 SSH 密钥
请按照以下步骤创建和使用 SSH 密钥。
最佳做法是在本地机器上创建 SSH 密钥,而不是在远程机器上。
使用 GitHub Secrets 中指定的用户名登录并生成 RSA 密钥对:
请在创建 SSH 密钥并使用 SSH 密钥时遵循以下步骤。最佳做法是在本地机器上创建 SSH 密钥而不是远程机器上。请使用 Github Secrets 中指定的用户名登录。生成 RSA 密钥:
### 生成 RSA 密钥
```bash
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t rsa -b 4096 -C ”your_email@example.com“
```
### 生成 ed25519 密钥
```bash
ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
ssh-keygen -t ed25519 -a 200 -C ”your_email@example.com“
```
将新生成的密钥添加到已授权的密钥中。详细了解已授权的密钥请点[此处](https://www.ssh.com/ssh/authorized_keys/)。
@ -110,49 +105,32 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
### 将 RSA 密钥添加到已授权密钥中
```bash
cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
cat .ssh/id_rsa.pub | ssh b@B cat >> .ssh/authorized_keys
```
### 将 ed25519 密钥添加到已授权密钥中
```bash
cat .ssh/id_ed25519.pub | ssh b@B 'cat >> .ssh/authorized_keys'
cat .ssh/id_ed25519.pub | ssh b@B cat >> .ssh/authorized_keys
```
复制私钥内容,然后将其粘贴到 GitHub Secrets 中。
复制私钥内容,然后将其粘贴到 Github Secrets 中。
### 复制 RSA 私钥内容
在复制私钥之前,按照以下步骤安装 `clip` 命令:
### 复制 rsa 私钥内容
```bash
# Ubuntu
sudo apt-get install xclip
clip < ~/.ssh/id_rsa
```
复制私钥:
```bash
# macOS
pbcopy < ~/.ssh/id_rsa
# Ubuntu
xclip < ~/.ssh/id_rsa
```
从包含注释部分 `-----BEGIN OPENSSH PRIVATE KEY-----` 开始,到包含注释部分 `-----END OPENSSH PRIVATE KEY-----` 结束,复制私钥并将其粘贴到 GitHub Secrets 中。
### 复制 ed25519 私钥内容
```bash
# macOS
pbcopy < ~/.ssh/id_ed25519
# Ubuntu
xclip < ~/.ssh/id_ed25519
clip < ~/.ssh/id_ed25519
```
有关无需密码登录 SSH 的详细信息,请[见该网站](http://www.linuxproblem.org/art_9.html)。
**注意**根据您的 SSH 版本,您可能还需要进行以下更改:
**来自读者的注意事项** 根据您的 SSH 版本,您可能还需要进行以下更改:
- 将公钥放在 `.ssh/authorized_keys2`
- 将 `.ssh` 的权限更改为 700
@ -166,25 +144,25 @@ xclip < ~/.ssh/id_ed25519
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey]
```
请确保您所选择的密钥算法得到支持。在 Ubuntu 20.04 或更高版本上,您必须明确允许使用 ssh-rsa 算法。请在 OpenSSH 守护进程文件中添加以下行(它可以是 `/etc/ssh/sshd_config``/etc/ssh/sshd_config.d/` 中的一个附加文件):
请确保您所选择的密钥算法得到支持。在 Ubuntu 20.04 或更高版本上,您必须明确允许使用 SSH-RSA 算法。请在 OpenSSH 守护进程文件中添加以下行(它可以是 `/etc/ssh/sshd_config``/etc/ssh/sshd_config.d/` 中的一个附加文件):
```bash
CASignatureAlgorithms +ssh-rsa
```
或者,`ed25519` 密钥在 OpenSSH 中默认被接受。如果需要,您可以使用它来替代 RSA
或者,`Ed25519` 密钥在 OpenSSH 中默认被接受。如果需要,您可以使用它来替代 RSA。
```bash
ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
ssh-keygen -t ed25519 -a 200 -C ”your_email@example.com“
```
### 示例
### Example
#### 使用密码执行远程 SSH 命令
```yaml
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -197,7 +175,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: executing remote ssh commands using ssh key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -210,7 +188,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: multiple command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -223,27 +201,14 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
![result](./images/output-result.png)
#### 从文件执行命令
```yaml
- name: file commands
uses: appleboy/ssh-action@v1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
script_path: scripts/script.sh
```
#### 多台主机
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com,bar.com"
- host: ”foo.com“
+ host: ”foo.com,bar.com“
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
@ -252,16 +217,27 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
ls -al
```
默认的 `port` 值是 `22`
#### Commands from a file
```yaml
- name: file commands
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
script_path: scripts/script.sh
```
#### 多个不同端口的主机
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com:1234,bar.com:5678"
- host: ”foo.com“
+ host: ”foo.com:1234,bar.com:5678“
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
script: |
@ -273,9 +249,9 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: "foo.com,bar.com"
host: ”foo.com,bar.com“
+ sync: true
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
@ -285,14 +261,14 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
ls -al
```
#### 将环境变量传递到 shell 脚本
#### 将环境变量传递到 Shell 脚本
```diff
- name: pass environment
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
+ env:
+ FOO: "BAR"
+ BAR: "FOO"
+ FOO: ”BAR“
+ BAR: ”FOO“
+ SHA: ${{ github.sha }}
with:
host: ${{ secrets.HOST }}
@ -301,9 +277,9 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
port: ${{ secrets.PORT }}
+ envs: FOO,BAR,SHA
script: |
echo "I am $FOO"
echo "I am $BAR"
echo "sha: $SHA"
echo ”I am $FOO“
echo ”I am $BAR“
echo ”sha: $SHA“
```
_在 `env` 对象中,您需要将每个环境变量作为字符串传递,传递 `Integer` 数据类型或任何其他类型可能会产生意外结果。_
@ -311,9 +287,9 @@ _在 `env` 对象中,您需要将每个环境变量作为字符串传递,传
#### 如何使用 `ProxyCommand` 连接远程服务器?
```bash
+--------+ +----------+ +-----------+
| Laptop | <--> | Jumphost | <--> | FooServer |
+--------+ +----------+ +-----------+
+———+ +-———+ +————+
| Laptop | <—> | Jumphost | <—> | FooServer |
+———+ +-———+ +————+
```
在您的 `~/.ssh/config` 文件中,您会看到以下内容。
@ -336,7 +312,7 @@ Host FooServer
```diff
- name: ssh proxy command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -351,13 +327,13 @@ Host FooServer
ls -al
```
#### 保护私钥
#### 如何保护私钥
密码短语通常用于加密私钥。这使得密钥文件本身对攻击者无用。文件泄露可能来自备份或停用的硬件,黑客通常可以从受攻击系统中泄露文件。
密码短语通常用于加密私钥。这使得攻击者无法单独使用密钥文件。文件泄露可能来自备份或停用的硬件,黑客通常可以从受攻击系统中泄露文件。因此,保护私钥非常重要。
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -373,17 +349,17 @@ Host FooServer
设置 SSH 主机指纹验证可以帮助防止中间人攻击。在设置之前,运行以下命令以获取 SSH 主机指纹。请记得将 `ed25519` 替换为您适当的密钥类型(`rsa``dsa`等),而 `example.com` 则替换为您的主机。
在现代 OpenSSH 版本中,默认提取的密钥类型是 `rsa`(从版本 5.1 开始)、`ecdsa`(从版本 6.0 开始)和 `ed25519`(从版本 6.7 开始)。
现代 OpenSSH 版本中,需要提取的**默认密钥**类型是 `rsa`(从版本 5.1 开始)、`ecdsa`(从版本 6.0 开始)和 `ed25519`(从版本 6.7 开始)。
```sh
ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2
ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d -f2
```
现在您可以调整您的配置:
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -401,4 +377,4 @@ ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' '
## 授权方式
本项目中的脚本和文档采用 [MIT 许可证](LICENSE) 发布。
本项目中的脚本和文档采用 [MIT](LICENSE) 许可证 发布。

58
README.zh-tw.md
View file

@ -1,6 +1,6 @@
# 🚀 GitHub Actions 的 SSH
[English](./README.md) | 繁體中文 | [简体中文](./README.zh-cn.md)
[English](./README.md) | [简体中文](./README.zh-cn.md)
[GitHub Action](https://github.com/features/actions) 用於執行遠端 SSH 命令。
@ -49,9 +49,6 @@
| debug | 啟用調試模式 | false |
| allenvs | 將帶有 `GITHUB_``INPUT_` 前綴的環境變數傳遞給腳本 | false |
| request_pty | 從伺服器請求偽終端 | false |
| curl_insecure | 在 curl 命令中使用不安全的 SSL 證書驗證 | false |
**注意:** 用戶可以在他們的 shell 腳本中添加 `set -e` 以實現類似於已刪除的 `script_stop` 選項的功能。
## 用法
@ -66,10 +63,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: linuxserver.io
username: ${{ secrets.USERNAME }}
password: ${{ secrets.PASSWORD }}
port: ${{ secrets.PORT }}
script: whoami
@ -81,7 +78,7 @@ jobs:
======CMD======
whoami
======END======
linuxserver.io
out: ***
===============================================
✅ Successfully executed commands to all hosts.
===============================================
@ -121,36 +118,19 @@ cat .ssh/id_ed25519.pub | ssh b@B 'cat >> .ssh/authorized_keys'
### 複製 rsa 私鑰內容
在複製私鑰之前,請按照以下說明安裝 `clip` 命令:
```bash
# Ubuntu
sudo apt-get install xclip
clip < ~/.ssh/id_rsa
```
複製私鑰:
```bash
# macOS
pbcopy < ~/.ssh/id_rsa
# Ubuntu
xclip < ~/.ssh/id_rsa
```
從包含註釋部分 `-----BEGIN OPENSSH PRIVATE KEY-----` 開始,到包含註釋部分 `-----END OPENSSH PRIVATE KEY-----` 結束,複製私鑰並將其粘貼到 GitHub Secrets 中。
### 複製 ed25519 私鑰內容
```bash
# macOS
pbcopy < ~/.ssh/id_ed25519
# Ubuntu
xclip < ~/.ssh/id_ed25519
clip < ~/.ssh/id_ed25519
```
有關無需密碼登錄 SSH 的詳細信息,請[參見該網站](http://www.linuxproblem.org/art_9.html)。
**注意**根據您的 SSH 版本,您可能還需要進行以下更改:
**來自讀者的注意事項** 根據您的 SSH 版本,您可能還需要進行以下更改:
- 將公鑰放在 `.ssh/authorized_keys2`
- 將 `.ssh` 的權限更改為 700
@ -182,7 +162,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -195,7 +175,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: executing remote ssh commands using ssh key
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -208,7 +188,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```yaml
- name: multiple command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -221,11 +201,11 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
![result](./images/output-result.png)
#### 從文件中執行命令
#### Commands from a file
```yaml
- name: file commands
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -238,7 +218,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com,bar.com"
@ -254,7 +234,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
- host: "foo.com"
+ host: "foo.com:1234,bar.com:5678"
@ -269,7 +249,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: multiple host
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: "foo.com,bar.com"
+ sync: true
@ -285,7 +265,7 @@ ssh-keygen -t ed25519 -a 200 -C "your_email@example.com"
```diff
- name: pass environment
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
+ env:
+ FOO: "BAR"
+ BAR: "FOO"
@ -332,7 +312,7 @@ Host FooServer
```diff
- name: ssh proxy command
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -353,7 +333,7 @@ Host FooServer
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
@ -379,7 +359,7 @@ ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' '
```diff
- name: ssh key passphrase
uses: appleboy/ssh-action@v1
uses: appleboy/ssh-action@v1.2.1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}

74
action.yml
View file

@ -3,88 +3,85 @@ description: "Executing remote ssh commands"
author: "Bo-Yi Wu"
inputs:
host:
description: "SSH host address or IP to connect to."
description: "SSH host address."
port:
description: "SSH port number for the connection."
description: "SSH port number."
default: "22"
passphrase:
description: "Passphrase to decrypt the SSH private key if protected."
description: "Passphrase for the SSH key."
username:
description: "SSH username for authentication on the remote server."
description: "SSH username."
password:
description: "SSH password for authentication (use secrets for sensitive data)."
description: "SSH password."
protocol:
description: 'IP protocol version to use. Options: "tcp" (default), "tcp4" (IPv4 only), or "tcp6" (IPv6 only).'
description: 'The IP protocol to use. Valid values are "tcp". "tcp4" or "tcp6". Default to tcp.'
default: "tcp"
sync:
description: "When true, executes commands synchronously across multiple hosts (one after another)."
description: "Enable synchronous execution if multiple hosts are involved."
use_insecure_cipher:
description: "Enable additional legacy ciphers that might be less secure but more compatible with older systems."
description: "Include more ciphers by using insecure ciphers."
cipher:
description: "Specify custom cipher algorithms for encryption. Leave empty to use secure defaults."
description: "Allowed cipher algorithms. If unspecified, a sensible default is used."
timeout:
description: "Maximum time to wait when establishing the SSH connection, e.g., '30s', '1m'."
description: "Timeout duration for establishing SSH connection to the host."
default: "30s"
command_timeout:
description: "Maximum execution time for the remote commands before terminating, e.g., '10m', '1h'."
description: "Timeout duration for SSH commands execution."
default: "10m"
key:
description: "Raw content of the SSH private key for authentication (use secrets for sensitive data)."
description: "Content of the SSH private key. For example, the raw content of ~/.ssh/id_rsa."
key_path:
description: "Path to the SSH private key file on the runner."
description: "Path to the SSH private key file."
fingerprint:
description: "SHA256 fingerprint of the host public key for verification to prevent MITM attacks."
description: "SHA256 fingerprint of the host public key."
proxy_host:
description: "Proxy server hostname or IP if connecting through an SSH jump host."
description: "SSH proxy host address."
proxy_port:
description: "SSH port number for the proxy connection."
description: "SSH proxy port number."
default: "22"
proxy_username:
description: "Username for authentication on the proxy server."
description: "SSH proxy username."
proxy_password:
description: "Password for authentication on the proxy server (use secrets for sensitive data)."
description: "SSH proxy password."
proxy_protocol:
description: 'IP protocol version for proxy. Options: "tcp" (default), "tcp4" (IPv4 only), or "tcp6" (IPv6 only).'
description: 'The IP protocol to use. Valid values are "tcp". "tcp4" or "tcp6". Default to tcp.'
default: "tcp"
proxy_passphrase:
description: "Passphrase to decrypt the proxy SSH private key if protected."
description: "SSH proxy key passphrase."
proxy_timeout:
description: "Maximum time to wait when establishing the proxy SSH connection, e.g., '30s', '1m'."
description: "Timeout duration for establishing SSH connection to the proxy host."
default: "30s"
proxy_key:
description: "Raw content of the SSH proxy private key for authentication (use secrets for sensitive data)."
description: "Content of the SSH proxy private key. For example, the raw content of ~/.ssh/id_rsa."
proxy_key_path:
description: "Path to the SSH proxy private key file on the runner."
description: "Path to the SSH proxy private key file."
proxy_fingerprint:
description: "SHA256 fingerprint of the proxy host public key for verification."
description: "SHA256 fingerprint of the proxy host public key."
proxy_cipher:
description: "Specify custom cipher algorithms for proxy connection encryption."
description: "Allowed cipher algorithms for the proxy. If unspecified, a sensible default is used."
proxy_use_insecure_cipher:
description: "Enable additional legacy ciphers for proxy connections (less secure but more compatible)."
description: "Include more ciphers for the proxy by using insecure ciphers."
script:
description: "Commands to execute on the remote server (inline script string)."
description: "Commands to be executed."
script_path:
description: "Path to a local file containing commands to execute on the remote server."
description: "Path to the file containing commands to be executed."
envs:
description: "Environment variables to expose to the remote script, format: key=value,key2=value2."
description: "Environment variables to be passed to the shell script."
envs_format:
description: "Format specification for environment variable transfer (for advanced usage)."
description: "Flexible configuration for environment value transfer."
debug:
description: "Set to true to enable verbose logging for troubleshooting connection issues."
description: "Enable debug mode."
allenvs:
description: "When true, passes all GitHub Actions environment variables to the remote script."
description: "pass all environment variable to shell script."
request_pty:
description: "Request a pseudo-terminal from the server (required for interactive commands or sudo)."
curl_insecure:
description: "When true, uses the --insecure option with curl for insecure downloads."
default: "false"
description: "Request a pseudo-terminal from the server."
capture_stdout:
description: "When true, captures and returns standard output from the commands as action output."
description: "Capture the stdout of the commands."
default: "false"
outputs:
stdout:
description: "Standard output of the executed commands when capture_stdout is enabled."
description: 'Standard output of the executed commands.'
value: ${{ steps.entrypoint.outputs.stdout }}
runs:
@ -134,7 +131,6 @@ runs:
INPUT_PROXY_CIPHER: ${{ inputs.proxy_cipher }}
INPUT_SYNC: ${{ inputs.sync }}
INPUT_CAPTURE_STDOUT: ${{ inputs.capture_stdout }}
INPUT_CURL_INSECURE: ${{ inputs.curl_insecure }}
branding:
icon: "terminal"

91
entrypoint.sh
View file

@ -8,51 +8,70 @@ export GITHUB="true"
GITHUB_ACTION_PATH="${GITHUB_ACTION_PATH%/}"
DRONE_SSH_RELEASE_URL="${DRONE_SSH_RELEASE_URL:-https://github.com/appleboy/drone-ssh/releases/download}"
DRONE_SSH_VERSION="${DRONE_SSH_VERSION:-1.8.1}"
function log_error() {
echo "$1" >&2
exit "$2"
}
DRONE_SSH_VERSION="${DRONE_SSH_VERSION:-1.8.0}"
function detect_client_info() {
CLIENT_PLATFORM="${SSH_CLIENT_OS:-$(uname -s | tr '[:upper:]' '[:lower:]')}"
CLIENT_ARCH="${SSH_CLIENT_ARCH:-$(uname -m)}"
if [ -n "${SSH_CLIENT_OS-}" ]; then
CLIENT_PLATFORM="${SSH_CLIENT_OS}"
else
local kernel
kernel="$(uname -s)"
case "${kernel}" in
Darwin)
CLIENT_PLATFORM="darwin"
;;
Linux)
CLIENT_PLATFORM="linux"
;;
Windows)
CLIENT_PLATFORM="windows"
;;
*)
echo "Unknown, unsupported platform: ${kernel}." >&2
echo "Supported platforms: Linux, Darwin and Windows." >&2
echo "Bailing out." >&2
exit 2
;;
esac
fi
case "${CLIENT_PLATFORM}" in
darwin | linux | windows) ;;
*) log_error "Unknown or unsupported platform: ${CLIENT_PLATFORM}. Supported platforms are Linux, Darwin, and Windows." 2 ;;
esac
case "${CLIENT_ARCH}" in
x86_64* | i?86_64* | amd64*) CLIENT_ARCH="amd64" ;;
aarch64* | arm64*) CLIENT_ARCH="arm64" ;;
*) log_error "Unknown or unsupported architecture: ${CLIENT_ARCH}. Supported architectures are x86_64, i686, and arm64." 3 ;;
esac
if [ -n "${SSH_CLIENT_ARCH-}" ]; then
CLIENT_ARCH="${SSH_CLIENT_ARCH}"
else
local machine
machine="$(uname -m)"
case "${machine}" in
x86_64* | i?86_64* | amd64*)
CLIENT_ARCH="amd64"
;;
aarch64* | arm64*)
CLIENT_ARCH="arm64"
;;
*)
echo "Unknown, unsupported architecture (${machine})." >&2
echo "Supported architectures x86_64, i686, arm64." >&2
echo "Bailing out." >&2
exit 3
;;
esac
fi
}
detect_client_info
DOWNLOAD_URL_PREFIX="${DRONE_SSH_RELEASE_URL}/v${DRONE_SSH_VERSION}"
CLIENT_BINARY="drone-ssh-${DRONE_SSH_VERSION}-${CLIENT_PLATFORM}-${CLIENT_ARCH}"
TARGET="${GITHUB_ACTION_PATH}/${CLIENT_BINARY}"
echo "Downloading ${CLIENT_BINARY} from ${DOWNLOAD_URL_PREFIX}"
INSECURE_OPTION=""
if [[ "${INPUT_CURL_INSECURE}" == 'true' ]]; then
INSECURE_OPTION="--insecure"
fi
echo "Will download ${CLIENT_BINARY} from ${DOWNLOAD_URL_PREFIX}"
curl -fsSL --retry 5 --keepalive-time 2 "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o ${TARGET}
chmod +x ${TARGET}
curl -fsSL --retry 5 --keepalive-time 2 ${INSECURE_OPTION} "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"
chmod +x "${TARGET}"
echo "======= CLI Version Information ======="
"${TARGET}" --version
echo "======================================="
if [[ "${INPUT_CAPTURE_STDOUT}" == 'true' ]]; then
{
echo 'stdout<<EOF'
"${TARGET}" "$@" | tee -a "${GITHUB_OUTPUT}"
echo 'EOF'
} >>"${GITHUB_OUTPUT}"
echo "======= CLI Version ======="
sh -c "${TARGET} --version" # print version
echo "==========================="
if [[ "$INPUT_CAPTURE_STDOUT" == 'true' ]]; then
echo 'stdout<<EOF' >> $GITHUB_OUTPUT # use heredoc for multiline output
sh -c "${TARGET} $*" | tee -a $GITHUB_OUTPUT # run the command
echo 'EOF' >> $GITHUB_OUTPUT
else
"${TARGET}" "$@"
sh -c "${TARGET} $*" # run the command
fi