Switch to ssh key for private requirements_git (#15838)

.github/actions/awx_devel_image/action.yml

@@ -4,8 +4,8 @@ inputs:
   github-token:
     description: GitHub Token for registry access
     required: true
-  private-github-token:
+  private-github-key:
-    description: GitHub Token for private repositories
+    description: GitHub private key for private repositories
     required: false
     default: ''
 runs:
@@ -26,10 +26,26 @@ runs:
       run: |
         echo "${{ inputs.github-token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-    - name: Add Private github token to requirements_git.credentials.txt
+    - name: Generate placeholder SSH private key if SSH auth for private repos is not needed
+      id: generate_key
       shell: bash
-      run: echo "https://x-access-token:${{ inputs.private-github-token }}@github.com" >> requirements/requirements_git.credentials.txt
+      run: |
-      if: ${{ inputs.private-github-token != '' }}
+        if [[ -z "${{ inputs.private-github-key }}" ]]; then
+          ssh-keygen -t ed25519 -C "github-actions" -N "" -f ~/.ssh/id_ed25519
+          echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+          cat ~/.ssh/id_ed25519 >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+        else
+          echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+          echo "${{ inputs.private-github-key }}" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Add private GitHub key to SSH agent
+      uses: webfactory/ssh-agent@v0.9.0
+      with:
+        ssh-private-key: ${{ steps.generate_key.outputs.SSH_PRIVATE_KEY }}
+
 
     - name: Pre-pull latest devel image to warm cache
       shell: bash

.github/actions/run_awx_devel/action.yml

@@ -9,8 +9,8 @@ inputs:
     required: false
     default: false
     type: boolean
-  private-github-token:
+  private-github-key:
-    description: GitHub Token for private repositories
+    description: GitHub private key for private repositories
     required: false
     default: ''
 outputs:
@@ -32,7 +32,7 @@ runs:
       uses: ./.github/actions/awx_devel_image
       with:
         github-token: ${{ inputs.github-token }}
-        private-github-token: ${{ inputs.private-github-token}}
+        private-github-key: ${{ inputs.private-github-key }}
 
     - name: Upgrade ansible-core
       shell: bash

.github/workflows/ci.yml

@@ -3,7 +3,6 @@ name: CI
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
   CI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CI_PRIVATE_GITHUB_TOKEN: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
   DEV_DOCKER_OWNER: ${{ github.repository_owner }}
   COMPOSE_TAG: ${{ github.base_ref || 'devel' }}
   UPSTREAM_REPOSITORY_ID: 91594105
@@ -55,7 +54,7 @@ jobs:
         uses: ./.github/actions/awx_devel_image
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          private-github-token: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
+          private-github-key: ${{ secrets.PRIVATE_GITHUB_KEY }}
 
       - name: Run check ${{ matrix.tests.name }}
         id: make-run
@@ -140,7 +139,7 @@ jobs:
         with:
           build-ui: false
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          private-github-token: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
+          private-github-key: ${{ secrets.PRIVATE_GITHUB_KEY }}
 
       - name: Run live dev env tests
         run: docker exec tools_awx_1 /bin/bash -c "make live_test"
@@ -182,11 +181,25 @@ jobs:
         run: |
           python3 -m pip install docker
 
-      - name: Add Private github token to requirements_git.credentials.txt
+      - name: Generate placeholder SSH private key if SSH auth for private repos is not needed
+        id: generate_key
         shell: bash
-        working-directory: awx
+        run: |
-        run: echo "https://x-access-token:${{ env.CI_PRIVATE_GITHUB_TOKEN }}@github.com" >> requirements/requirements_git.credentials.txt
+          if [[ -z "${{ secrets.PRIVATE_GITHUB_KEY }}" ]]; then
-        if: ${{ env.CI_PRIVATE_GITHUB_TOKEN != '' }}
+            ssh-keygen -t ed25519 -C "github-actions" -N "" -f ~/.ssh/id_ed25519
+            echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+            cat ~/.ssh/id_ed25519 >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          else
+            echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+            echo "${{ secrets.PRIVATE_GITHUB_KEY }}" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Add private GitHub key to SSH agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ steps.generate_key.outputs.SSH_PRIVATE_KEY }}
 
       - name: Build AWX image
         working-directory: awx
@@ -295,7 +308,7 @@ jobs:
         with:
           build-ui: false
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          private-github-token: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
+          private-github-key: ${{ secrets.PRIVATE_GITHUB_KEY }}
 
       - name: Install dependencies for running tests
         run: |

.github/workflows/devel_images.yml

@@ -3,7 +3,6 @@ name: Build/Push Development Images
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
   DOCKER_CACHE: "--no-cache" # using the cache will not rebuild git requirements and other things
-  CI_PRIVATE_GITHUB_TOKEN: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
 on:
   workflow_dispatch:
   push:
@@ -74,10 +73,25 @@ jobs:
           make ui
         if: matrix.build-targets.image-name == 'awx'
 
-      - name: Add private GitHub token to requirements_git.credentials.txt
+      - name: Generate placeholder SSH private key if SSH auth for private repos is not needed
+        id: generate_key
         shell: bash
-        run: echo "https://x-access-token:${{ secrets.PRIVATE_GITHUB_TOKEN }}@github.com" >> requirements/requirements_git.credentials.txt
+        run: |
-        if: ${{ env.CI_PRIVATE_GITHUB_TOKEN != '' }}
+          if [[ -z "${{ secrets.PRIVATE_GITHUB_KEY }}" ]]; then
+            ssh-keygen -t ed25519 -C "github-actions" -N "" -f ~/.ssh/id_ed25519
+            echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+            cat ~/.ssh/id_ed25519 >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          else
+            echo "SSH_PRIVATE_KEY<<EOF" >> $GITHUB_OUTPUT
+            echo "${{ secrets.PRIVATE_GITHUB_KEY }}" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Add private GitHub key to SSH agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ steps.generate_key.outputs.SSH_PRIVATE_KEY }}
 
       - name: Build and push AWX devel images
         run: |

Makefile

@@ -562,6 +562,7 @@ Dockerfile.dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 ## Build awx_devel image for docker compose development environment
 docker-compose-build: Dockerfile.dev
 	DOCKER_BUILDKIT=1 docker build \
+		--ssh default=$(SSH_AUTH_SOCK) \
 		-f Dockerfile.dev \
 		-t $(DEVEL_IMAGE_NAME) \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
@@ -573,6 +574,7 @@ docker-compose-buildx: Dockerfile.dev
 	- docker buildx create --name docker-compose-buildx
 	docker buildx use docker-compose-buildx
 	- docker buildx build \
+		--ssh default=$(SSH_AUTH_SOCK)
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
 		$(DOCKER_DEVEL_CACHE_FLAG) \
@@ -620,6 +622,7 @@ Dockerfile: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 ## Build awx image for deployment on Kubernetes environment.
 awx-kube-build: Dockerfile
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile \
+		--ssh default=$(SSH_AUTH_SOCK) \
 		--build-arg VERSION=$(VERSION) \
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
@@ -631,6 +634,7 @@ awx-kube-buildx: Dockerfile
 	- docker buildx create --name awx-kube-buildx
 	docker buildx use awx-kube-buildx
 	- docker buildx build \
+		--ssh default=$(SSH_AUTH_SOCK) \
 		--push \
 		--build-arg VERSION=$(VERSION) \
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
@@ -654,6 +658,7 @@ Dockerfile.kube-dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 ## Build awx_kube_devel image for development on local Kubernetes environment.
 awx-kube-dev-build: Dockerfile.kube-dev
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile.kube-dev \
+		--ssh default=$(SSH_AUTH_SOCK) \
 	    --build-arg BUILDKIT_INLINE_CACHE=1 \
 	     $(DOCKER_KUBE_DEV_CACHE_FLAG) \
 	    -t $(IMAGE_KUBE_DEV) .
@@ -663,6 +668,7 @@ awx-kube-dev-buildx: Dockerfile.kube-dev
 	- docker buildx create --name awx-kube-dev-buildx
 	docker buildx use awx-kube-dev-buildx
 	- docker buildx build \
+		--ssh default=$(SSH_AUTH_SOCK) \
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
 		$(DOCKER_KUBE_DEV_CACHE_FLAG) \