master
Usage
Extending
Git authentication with SSH keys
When using environment variables to set up the Git authentication, the remote Git repository will automatically be accessed via https, independently of the
repositoryUrl format configured in the semantic-release Configuration (the format will be automatically converted as needed).Alternatively the Git repository can be accessed via SSH by creating SSH keys, adding the public one to your Git hosted account and making the private one available on the CI environment.
Note: SSH keys allow to push the Git release tag associated to the released version. Some plugins might also require an API token. See each plugin documentation for additional information.
Generating the SSH keys
In your local repository root:
1
$ ssh-keygen -t rsa -b 4096 -C "<your_email>" -f git_deploy_key -N "<ssh_passphrase>"
Copied!
your_email must be the email associated with your Git hosted account. ssh_passphrase must be a long and hard to guess string. It will be used later.This will generate a public key in
git_deploy_key.pub and a private key in git_deploy_key.Adding the SSH public key to the Git hosted account
Step by step instructions are provided for the following Git hosted services:
Adding the SSH public key to GitHub
Open the
git_deploy_key.pub file (public key) and copy the entire content.In GitHub Settings, click on SSH and GPG keys in the sidebar, then on the New SSH Key button.
Paste the entire content of
git_deploy_key.pub file (public key) and click the Add SSH Key button.Delete the
git_deploy_key.pub file:1
$ rm git_deploy_key.pub
Copied!
Adding the SSH private key to the CI environment
In order to be available on the CI environment, the SSH private key must be encrypted, committed to the Git repository and decrypted by the CI service.
Step by step instructions are provided for the following environments:
Adding the SSH private key to Travis CI
1
$ gem install travis
Copied!
1
$ travis login
Copied!
Add the environment variable
SSH_PASSPHRASE to Travis with the value set during the SSH keys generation step:1
$ travis env set SSH_PASSPHRASE <ssh_passphrase>
Copied!
​Encrypt the
git_deploy_key (private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:1
$ travis encrypt-file git_deploy_key
Copied!
The
travis encrypt-file will encrypt the private key into the git_deploy_key.enc file and output in the console the command to add to your .travis.yml file. It should look like openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out git_deploy_key -d.Copy this command to your
.travis.yml file in the before_install step. Change the output path to write the unencrypted key in /tmp: -out git_deploy_key => /tmp/git_deploy_key. This will avoid to commit / modify / delete the unencrypted key by mistake on the CI. Then add the commands to decrypt the ssh private key and make it available to git:1
before_install:
2
# Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
3
- openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out /tmp/git_deploy_key -d
4
# Make sure only the current user can read the private key
5
- chmod 600 /tmp/git_deploy_key
6
# Create a script to return the passphrase environment variable to ssh-add
7
- echo 'echo ${SSH_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
8
# Start the authentication agent
9
- eval "$(ssh-agent -s)"
10
# Add the key to the authentication agent
11
- DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null
Copied!
Delete the local private key as it won't be used anymore:
1
$ rm git_deploy_key
Copied!
Commit the encrypted private key and the
.travis.yml file to your repository:1
$ git add git_deploy_key.enc .travis.yml
2
$ git commit -m "ci(travis): Add the encrypted private ssh key"
3
$ git push
Copied!
Adding the SSH private key to Circle CI
First we encrypt the
git_deploy_key (private key) using a symmetric encryption (AES-256). Run the following openssl command and make sure to note the output which we'll need later:1
$ openssl aes-256-cbc -e -p -in git_deploy_key -out git_deploy_key.enc -K `openssl rand -hex 32` -iv `openssl rand -hex 16`
2
salt=SSSSSSSSSSSSSSSS
3
key=KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
4
iv =VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Copied!
REPO_ENC_KEY- thekey(KKK) value from theopensslstep above.REPO_ENC_IV- theiv(VVV) value from theopensslstep above.
Then add to your
.circleci/config.yml the commands to decrypt the ssh private key and make it available to git:1
version: 2
2
jobs:
3
coverage_test_publish:
4
# docker, working_dir, etc
5
steps:
6
- run:
7
# Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
8
- openssl aes-256-cbc -d -K $REPO_ENC_KEY -iv $REPO_ENC_IV -in git_deploy_key.enc -out /tmp/git_deploy_key
9
# Make sure only the current user can read the private key
10
- chmod 600 /tmp/git_deploy_key
11
# Create a script to return the passphrase environment variable to ssh-add
12
- echo 'echo ${SSL_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
13
# Start the authentication agent
14
- eval "$(ssh-agent -s)"
15
# Add the key to the authentication agent
16
- DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null
17
# checkout, restore_cache, run: yarn install, save_cache, etc.
18
# Run semantic-release after all the above is set.
Copied!
The unencrypted key is written to
/tmp to avoid to commit / modify / delete the unencrypted key by mistake on the CI environment.Delete the local private key as it won't be used anymore:
1
$ rm git_deploy_key
Copied!
Commit the encrypted private key and the
.circleci/config.yml file to your repository:1
$ git add git_deploy_key.enc .circleci/config.yml
2
$ git commit -m "ci(circle): Add the encrypted private ssh key"
3
$ git push
Copied!
Last modified 16d ago