https://stackoverflow.com/questions/57612428/cloning-private-github-repository-within-organisation-in-actions https://github.com/webfactory/ssh-agent
Since access tokens are bound to an account and have write access to all its private repos, it’s a very bad solution.
Instead, use deploy keys.
Deploy keys are simply SSH keys that you can use to clone a repo.
- Create a new SSH key pair on your computer
- Put the public key in the private dependency repo’s Deploy keys
- Put the private key in the app repo’s Actions secrets
- Delete the keys from your computer
Once it’s set, you can set the private key in the GitHub Action’s SSH Agent. There’s no need to import a third-party GitHub Action, a 2-liner will suffice.
eval `ssh-agent -s`
ssh-add - <<< '${{ secrets.PRIVATE_SSH_KEY }}'
pip install -r requirements.txt
Deploy keys were also the most convenient choice in my scenario but, for extra convenience, I managed the loading into the agent through the webfactory/ssh-agent action: github.com/webfactory/ssh-agent
# GHA workflow
- uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.PRIVATE_SSH_KEY }}# pyproject.toml
[tool.poetry.dependencies]
...
aws-lambda-powerlib = {git = "git@github.com:Konstankino/aws-lambda-powerlib.git", rev = "1.0.0"}