Using SSH Mounts with GitHub Actions for Docker Builds

If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) and need to handle multi-line value, you will need to place the key-value pair between quotes: ```yaml secrets: | "MYSECRET=${{ secrets.GPG_KEY }}" GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789 "MYSECRET=aaaaaaaa bbbbbbb ccccccccc" FOO=bar "EMPTYLINE=aaaa bbbb ccc" "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}" ``` | Key | Value | | ---------------- | ----------------------------------- | | `MYSECRET` | `***********************` | | `GIT_AUTH_TOKEN` | `abcdefghi,jklmno=0123456789` | | `MYSECRET` | `aaaaaaaa\nbbbbbbb\nccccccccc` | | `FOO` | `bar` | | `EMPTYLINE` | `aaaa\n\nbbbb\nccc` | | `JSON_SECRET` | `{"key1":"value1","key2":"value2"}` | > [!NOTE] > > Double escapes are needed for quote signs. ## SSH mounts SSH mounts let you authenticate with SSH servers. For example to perform a `git clone`, or to fetch application packages from a private repository. The following Dockerfile example uses an SSH mount to fetch Go modules from a private GitHub repository. ```dockerfile {collapse=1} # syntax=docker/dockerfile:1 ARG GO_VERSION="{{% param example_go_version %}}" FROM golang:${GO_VERSION}-alpine AS base ENV CGO_ENABLED=0 ENV GOPRIVATE="github.com/foo/*" RUN apk add --no-cache file git rsync openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts WORKDIR /src FROM base AS vendor # this step configure git and checks the ssh key is loaded RUN --mount=type=ssh <<EOT set -e echo "Setting Git SSH protocol" git config --global url."git@github.com:".insteadOf "https://github.com/" ( set +e ssh -T git@github.com if [ ! "$?" = "1" ]; then echo "No GitHub SSH key loaded exiting..." exit 1 fi ) EOT # this one download go modules RUN --mount=type=bind,target=. \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=ssh \ go mod download -x FROM vendor AS build RUN --mount=type=bind,target=. \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache \ go build ... ``` To build this Dockerfile, you must specify an SSH mount that the builder can use in the steps with `--mount=type=ssh`. The following GitHub Action workflow uses the `MrSquaare/ssh-setup-action` third-party action to bootstrap SSH setup on the GitHub runner. The action creates a private key defined by the GitHub Action secret `SSH_GITHUB_PPK` and adds it to the SSH agent socket file at `SSH_AUTH_SOCK`. The SSH mount in the build step assume `SSH_AUTH_SOCK` by default, so there's no need to specify the ID or path for the SSH agent socket explicitly. {{< tabs >}} {{< tab name="`docker/build-push-action`" >}} ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Set up SSH uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0 with: host: github.com private-key: ${{ secrets.SSH_GITHUB_PPK }} private-key-name: github-ppk - name: Build and push uses: docker/build-push-action@v6 with: ssh: default push: true tags: user/app:latest ``` {{< /tab >}} {{< tab name="`docker/bake-action`" >}} ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Set up SSH uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0 with: host: github.com private-key: ${{ secrets.SSH_GITHUB_PPK }} private-key-name: github-ppk - name: Build uses: docker/bake-action@v6 with: set: | *.ssh=default ``` {{< /tab >}} {{< /tabs >}}

This section focuses on using SSH mounts to authenticate with SSH servers during Docker builds, specifically for tasks like cloning Git repositories or fetching packages from private repositories. It provides a Dockerfile example for fetching Go modules from a private GitHub repository using SSH. It outlines a GitHub Actions workflow using `MrSquaare/ssh-setup-action` to manage SSH setup and securely pass the private key (stored as a GitHub secret) to the Docker build process.