Doesn't work for self-hosted runners that are nobodies (no `passwd` entry)

[javbit]

The use of os.userInfo().homedir depends on a /etc/passwd entry, which in some hardened setups may not exist. os.homedir(), which just depends on $HOME, is more more likely to be right.

For example, it thinks my user's home is / which is breaking things when my runtime home is actually /run/github-runner/runner-2.

[javbit]

I'm working on a PR to handle this issue, will link when ready.

[javbit]

I made a PR, and it solves the immediate failure case. However, I'm now seeing the following error:

Run git clone git@github.com:javbit/foo.git
  shell: /bin/bash -e {0}
  env:
    SSH_AUTH_SOCK: /tmp/ssh-XXXXXX9t0fhl/agent.561530
    SSH_AGENT_PID: 561531
Cloning into 'foo'...
ssh: Could not resolve hostname key-fd80f028b988cd54b2c736f6496796d4d46383315756a21b9cbba1b1b7928385.github.com: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Error: Process completed with exit code 128.

(Edited slightly for clarity and confidentiality. Namely condensed list of private repositories to the single foo.)

I've added the GitHub host key to my ssh known hosts before running this step, so I think that should be good.

      - run: >
          echo github.com
          ssh-ed25519
          AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
          >> "$HOME/.ssh/known_hosts"

I only set ED25519 deploy keys so I didn't add the other host keys.

Any idea what's going on? Name resolution seems fine when I ping github.com, but doesn't work for the key-*.github.com one, both on my CI machine and my local.

Seems to be caused by this:

ssh-agent/index.js

Lines 71 to 73 in d4b9b8f

	child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
	child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
	child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);

[javbit]

Never mind, I missed this important section right after!

ssh-agent/index.js

Lines 71 to 78 in d4b9b8f

	child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
	child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "git@github.com:${ownerAndRepo}"`);
	child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://git@github.com/${ownerAndRepo}"`);
	const sshConfig = `\nHost key-${sha256}.github.com\n`
	+ ` HostName github.com\n`
	+ ` IdentityFile ${homeSsh}/key-${sha256}\n`
	+ ` IdentitiesOnly yes\n`;

I see what's going on now, and am trying to figure out why ssh isn't picking this config up.

[javbit]

Resolution was to manually set the Git SSH command to reference the config file that was generated. I'll add this to my PR.

git config --global core.sshCommand "ssh -F $HOME/.ssh//config"

[mpdude]

Using os.userInfo().homedir instead of the $HOME env var was necessary to make this action run in Docker-based Action runs in the first place. From memory, it may be the case that in Docker containers $HOME points to... something.

The ssh binary will use the getpwuid() system call to look up the user's home directory from the password database, and use this directory to locate config files (see https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/ssh.c#L710).

When I try to run ssh in an Ubuntu 22.04 Docker container started with a user ID that has no /etc/passwd entry, ssh immediately fails with No user exists for uid ....

Closing since I do not see right now how we could support this without breaking Docker-based action runs in general (#20).

[mpdude]

Can you explain why ssh works in the first place when no entry in /etc/passwd is present for the user?