Verification Issue in GitHub

Question

Our server_deploy.sh

#!/bin/bash
set -e
echo "Deploying application ..... branch = $1"

BRANCH_DIR="/var/www/html/devserver/$1"

if [ ! -d "$BRANCH_DIR" ]
then
        mkdir -p "$BRANCH_DIR"
        chown $USER:www-data -R $BRANCH_DIR
        cd $BRANCH_DIR
        echo "Cloning API Repo..."
        mkdir api
        git config --global --add safe.directory $BRANCH_DIR/api
        git clone git@github.com:{API URL HERE} api
        echo "Cloning UI Repo..."
        mkdir ui
        git config --global --add safe.directory $BRANCH_DIR/ui
        git clone git@github.com:{UI URL HERE} ui
        chown $USER:www-data -R $BRANCH_DIR
fi

# back to home directory
cd

# setup Node version
source ~/.nvm/nvm.sh
nvm use 12.16.3

# setup API
cd $BRANCH_DIR/api

chmod 777 -R storage bootstrap/cache
chown $USER:www-data -R $BRANCH_DIR

#switch branch
git stash
git reset --hard origin/master
git pull
if git branch -a | grep $1
then
    git checkout $1
else
    git checkout master 
fi

cp /var/www/html/devserver/.env $BRANCH_DIR/api/
sed -i -e "s/BRANCH/$1/g" $BRANCH_DIR/api/.env

composer install --no-interaction --prefer-dist --optimize-autoloader

php artisan config:clear
php artisan cache:clear
php artisan migrate --force
php artisan db:seed
php artisan optimize

npm install
npm run prod

#setup UI
cd $BRANCH_DIR/ui

#switch branch
git stash
git reset --hard origin/master
git pull
if  git branch -a | grep $1
then
        git checkout $1
else
        git checkout master
fi

cp /var/www/html/devserver/config.js $BRANCH_DIR/ui/src/api/
sed -i -e "s/BRANCH/$1/g" $BRANCH_DIR/ui/src/api/config.js

npm install
npm run build

Our laravel.yml

name: Laravel

on:
  pull_request

jobs:
  devserver:
    runs-on: ubuntu-latest
    services:
      # mysql-service Label used to access the service container
      mysql-service:
        # Docker Hub image (also with version)
        image: mysql:5.7
        env:
          ## Accessing to Github secrets, where you can store your configuration
          MYSQL_ROOT_PASSWORD: ******
          MYSQL_DATABASE: db_test
        ## map the "external" 33306 port with the "internal" 3306

    ** REST OF THE CODE HERE, LIKE UNIT TESTING AND CODE QUALITY **


    - name: Deploy to Devserver
      env:
        PUSHED_BRANCH_NAME: ${{ steps.branch-name.outputs.head_ref_branch }}
      uses: appleboy/ssh-action@master
      with:
        username: ${{ secrets.DEVSERVER_SSH_USER }}
        host: ${{secrets.DEVSERVER_HOST}}
        envs: PUSHED_BRANCH_NAME
        password: ${{ secrets.DEVSERVER_SSH_PASS }}
        script: sudo /home/$USER/.server_deploy.sh $PUSHED_BRANCH_NAME

Hi, we have a script called server_deploy.sh on our dev server which is triggered when a collaborator creates a PR. The branch is deployed to the dev server, and each branch has a specific URL. The setup was working fine until March 23rd when GitHub released its updates.

We started getting the following error:

======CMD======
sudo /home/***/.server_deploy.sh $PUSHED_BRANCH_NAME
======END======
out: Deploying application ..... branch = lg-30rvkhp
out: Now using node v12.16.3 (npm v6.14.4)
err: chmod: cannot access 'storage': No such file or directory
err: chmod: cannot access 'bootstrap/cache': No such file or directory
2023/03/27 07:45:20 Process exited with status 1

We noticed that cloning was not working, which caused the issue. We tried to clone the repository manually on the dev server, but that didn't work either.

We were able to fix the issue by fixing the known_hosts on the dev server, which allowed us to execute the deploy script manually. However, the script continues to fail when triggered by actions.

After manually cloning the repository, we ran the job again, but it threw the following error:

======CMD======
sudo /home/***/.server_deploy.sh $PUSHED_BRANCH_NAME
======END======
out: Deploying application ..... branch = lg-85zruc0ph
out: Cloning API Repo...
err: Cloning into 'api'...
err: Host key verification failed.
err: fatal: Could not read from remote repository.
err: Please make sure you have the correct access rights
err: and the repository exists.
2023/04/04 06:41:41 Process exited with status 128

It seems that the git clone or git pull via the server deploy script is not working properly.

We followed the instructions outlined in the blog post https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.

We also checked the discussions on the GitHub community (links below) and tried the suggested solutions.

1. https://github.com/orgs/community/discussions/51502?sort=new
2. https://github.com/orgs/community/discussions/27405?sort=new

These steps allowed us to deploy the script manually, but we are still experiencing issues when running the script triggered by actions.

Can anyone please help us troubleshoot this issue? We'd really appreciate any suggestions or solutions you might have.

Answer 1

We were able to fix the issue by fixing the known_hosts on the dev server

Double-check with which account you fixed the issue of the known_hosts on the dev server.

Your script is executed as sudo:

sudo /home/$USER/.server_deploy.sh $PUSHED_BRANCH_NAME

So it might use the /root/.ssh/known_hosts file instead of a /home/${secrets.DEVSERVER_SSH_USER}/.ssh/known_hosts

---

If you get a Host key verification failed, do not forget GitHub recently (March 24th, 2023) changed their RSA SSH host key:

ssh-keygen -R github.com
curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts