I am trying to checkout a repo using an ssh key because https authentication fails due to our firewall settings original question about getting https authentication working with a firewall that injects it’s own certificate into the chain

I was able to get this working previously, but the service was running as an elevated user. We are setting up a new server, and I’m trying to get things running in a more standard way with everything running as the network service user as suggested by github-actions runners documentation.

It is failing on the checkout step

- uses: actions/checkout@v3
      with:
        lfs: true
        ssh-key: ${{secrets.my_private_ssh_key}}

In the log it shows that it failed to load the key

Load key “C:\actions-runner\_work\_temp/d872e64c-0228-457f-9bfa-f9c01b1818ec”: Permission denied
[email protected]: Permission denied (publickey).
Error: fatal: Could not read from remote repository.

I’ve seen a lot of info on things related to [email protected]: Permission denied, but I haven’t found a lot of information about permission being denied when it comes to loading the key.

The one thing I did find is that a Load Key Permission Denied error is typically because the user doesn’t have read access to the ssh key?

If I’m understanding the checkout action correctly, it copies the ssh key to to .ssh folder of the user account so that it can use that ssh key. For the NetworkService account that should be C:\Windows\ServiceProfiles\NetworkService\.ssh if I go to that folder, the .ssh folder has been created, so it looks like at least an attempt was made to copy the ssh key into that folder, and I’m guessing the key is deleted out when the action is complete, so it may have been there and then deleted because the .ssh folder is empty.

Why would the network service account not have permissions for a file that it wrote out in the first place? Or is it possibly some other permission that is failing?

Can the ssh-key option work with the network service account?

Or is it possible to specify to use SSH, but not pass in the key as a secret, and instead just have the private key stored on our self-hosted runner?

Update:

I found another warning in the cleanup step for checkout@v3

Warning: Failed to remove SSH key ‘C:\actions-runner\_work\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4’

but in the original setup it appears that the ssh key is getting setup without warnings for errors

::save-state name=sshKeyPath::C:\actions-runner\_work\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4

##[debug]Save intra-action state sshKeyPath = C:\actions-runner\_work\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4

processed file: C:\actions-runner\_work\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4

Successfully processed 1 files; Failed processing 0 files