feat: Add custom SSH agent action for workflows (#1)

- Introduced `action.sh` to manage SSH host key validation and `known_hosts` setup.
- Added `action.yml` for defining a composite GitHub Action, supporting both predefined and dynamically scanned SSH hosts.
- Implemented `post_action.sh` to clean up `known_hosts` file post-deployment for enhanced security.
- Enhanced validation with warnings and errors for invalid or missing inputs.
- Improved security with support for SSH key type filtering and explicit warnings for potential MITM risks.
- Integrated `webfactory/ssh-agent` for managing private SSH keys in workflows.

Author: warnyul

action.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+if [ -z "${SSH_HOST}" ] && [ -z "${SSH_KNOWN_HOSTS}" ]; then
+    echo ":error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Input validation::\
+One of the input, 'ssh-host' or 'ssh-known-hosts' must be set. Please update your workflow inputs."
+    exit 2
+else
+    if [ ! -z "${SSH_KNOWN_HOSTS}" ]; then
+        if [ ! -z "${SSH_HOST}" ]; then
+            echo "::warning file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Input validation::\
+Both 'ssh-host' and 'ssh-known-hosts' inputs are set. Using 'ssh-known-hosts'."
+        fi
+        echo "${SSH_KNOWN_HOSTS}" >> "${SSH_KNOWN_HOSTS_FILE}"
+    else
+        echo "::warning file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Security risk::\
+If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, \
+users will be vulnerable to man in the middle attacks. On theother hand, if the security model allows such a risk, \
+ssh-keyscan can help in the detection of tampered keyfiles or man in the middle attacks which have begun after \
+the ssh_known_hosts file was created."
+    
+        if [ -z "${SSH_KEY_TYPE}" ]; then
+            if ! ssh-keyscan "${SSH_HOST}" >> "${SSH_KNOWN_HOSTS_FILE}"; then
+                echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=SSH Keyscan Failed::\
+Failed to scan SSH host keys for ${SSH_HOST}"
+                exit 1
+            fi
+        else
+            if ! ssh-keyscan -t "${SSH_KEY_TYPE}" "${SSH_HOST}" >> "${SSH_KNOWN_HOSTS_FILE}"; then
+                echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=SSH Keyscan Failed::\
+Failed to scan SSH host keys for ${SSH_HOST}"
+                exit 1
+            fi
+        fi
+    fi
+fi

action.yml

@@ -0,0 +1,58 @@
+name: 'apter-tech/ssh-agent'
+description: 'Run `ssh-agent`, load an SSH key to access other private repositories and setup `known_hosts` for host verification.',
+inputs:
+  ssh-host:
+    description: Hostname to fetch SSH keys from using ssh-keyscan.
+    required: false
+  ssh-key-type:
+    description: |
+      Specify the type of the key to fetch from the scanned hosts. The possible values are “ecdsa”, “ed25519”, “ecdsa-sk”, “ed25519-sk”, or “rsa”.
+      Multiple values may be specified by separating them with commas. The default is to fetch all the above key types.
+    required: false
+    default: 'rsa'
+  ssh-known-hosts:
+    description: 'Predefined known hosts to be added directly.'
+    required: false
+  # Inputs from webfactory/ssh-agent
+  ssh-private-key:
+    description: 'Private SSH key to register in the SSH agent'
+    required: true
+  ssh-auth-sock:
+    description: 'Where to place the SSH Agent auth socket'
+    required: false
+  log-public-key:
+    description: 'Whether or not to log public key fingerprints'
+    required: false
+    default: true
+  ssh-agent-cmd:
+    description: 'ssh-agent command'
+    required: false
+  ssh-add-cmd:
+    description: 'ssh-add command'
+    required: false
+  git-cmd:
+    description: 'git command'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    - uses: pyTooling/Actions/with-post-step@9ceefdbf5dceae8c441fc393ed82344c7ca8bbdb # v3.1.1
+      env:
+        SSH_HOST: ${{ inputs.ssh-host }}
+        SSH_KEY_TYPE: ${{ inputs.ssh-key-type }}
+        SSH_KNOWN_HOSTS: ${{ inputs.ssh-known-hosts }}
+        SSH_KNOWN_HOSTS_FILE: '~/.ssh/known_hosts'
+      with:
+        main: |
+          ./action.sh
+        post: |
+          ./post_action.sh
+    - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
+      with:
+        ssh-private-key: ${{ inputs.ssh-private-key }}
+        ssh-auth-sock: ${{ inputs.ssh-auth-sock }}
+        log-public-key: ${{ inputs.log-public-key }}
+        ssh-agent-cmd: ${{ inputs.ssh-agent-cmd }}
+        ssh-add-cmd: ${{ inputs.ssh-add-cmd }}
+        git-cmd: ${{ inputs.git-cmd }}
+

post_action.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+if [ -z "${SSH_KNOWN_HOSTS_FILE}" ]; then
+    echo "::error file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Notice::\
+${SSH_KNOWN_HOSTS_FILE} environment variable must be set."
+else
+    rm -rf "${SSH_KNOWN_HOSTS_FILE}"
+    echo "::notice file=$(basename "$0"),line=${LINENO},endLine=${LINENO},title=Notice::\
+${SSH_KNOWN_HOSTS_FILE} has been removed."
+fi