2

I'm using a custom pre-commit hook that's in a private repo.

  - repo: git@github.com:username/precommit-hooks.git
    rev: v0.0.1
    hooks:
      - id: check-security

I run it in a github action

      - name: Run pre-commit on changed files
        run: |
          pip install pre-commit
          pre-commit run --from-ref origin/HEAD --to-ref HEAD

But it errors for credential failure, but shouldn't checkout persist-credentials?

The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set persist-credentials: false to opt-out.

[INFO] Initializing environment for git@github.com:homer/precommit-hooks.git.
An unexpected error has occurred: CalledProcessError: command: ('/usr/bin/git', 'fetch', 'origin', '--tags')
return code: 128
stdout: (none)
stderr:
    git@github.com: Permission denied (publickey).
    fatal: Could not read from remote repository.
    
    Please make sure you have the correct access rights
    and the repository exists.

What's a good way to configure SSH creds?

tgk
  • 3,857
  • 2
  • 27
  • 42

1 Answers1

1

if you're cloning over ssh you will need to have an ssh key

the persist-credentials are for the repository under test (and are a short-lived github app token not an ssh token) -- the very same that's present in ${{ github.token }} or ${{ secrets.GITHUB_TOKEN }}

if you need an ssh key, you'll need to set one up and add it, probably through a github actions secret

here's an (untested) idea -- (I adapted this from a gpg-based secret) -- I don't think you need the public key but if you do you could utilize the same approach:

        install --directory ~/.ssh --mode 700
        base64 -d <<< '${{ secrets.SSH_PRIVATE }}' > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/*

then store the secret as a base64'd secret

another approach would be to utilize insteadOf to rewrite ssh urls to https urls the proper credentials attached -- though I haven't done that so you'd have to figure that out

disclaimer: I wrote pre-commit, though in fairness this problem has nothing to do with pre-commit

anthony sottile
  • 61,815
  • 15
  • 148
  • 207
  • i like these suggestions, I will try, thank you @anthony for taking the time to look at this – tgk Jan 05 '23 at 01:00