Git authentication with SSH keys
Last updated
Last updated
When using to set up the Git authentication, the remote Git repository will automatically be accessed via , independently of the format configured in the semantic-release (the format will be automatically converted as needed).
Alternatively the Git repository can be accessed via by creating SSH keys, adding the public one to your Git hosted account and making the private one available on the CI environment.
Note: SSH keys allow to push the associated to the released version. Some plugins might also require an API token. See each plugin documentation for additional information.
In your local repository root:
your_email
must be the email associated with your Git hosted account. ssh_passphrase
must be a long and hard to guess string. It will be used later.
This will generate a public key in git_deploy_key.pub
and a private key in git_deploy_key
.
Step by step instructions are provided for the following Git hosted services:
Open the git_deploy_key.pub
file (public key) and copy the entire content.
In GitHub Settings, click on SSH and GPG keys in the sidebar, then on the New SSH Key button.
Paste the entire content of git_deploy_key.pub
file (public key) and click the Add SSH Key button.
Delete the git_deploy_key.pub
file:
In order to be available on the CI environment, the SSH private key must be encrypted, committed to the Git repository and decrypted by the CI service.
Step by step instructions are provided for the following environments:
The travis encrypt-file
will encrypt the private key into the git_deploy_key.enc
file and output in the console the command to add to your .travis.yml
file. It should look like openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out git_deploy_key -d
.
Copy this command to your .travis.yml
file in the before_install
step. Change the output path to write the unencrypted key in /tmp
: -out git_deploy_key
=> /tmp/git_deploy_key
. This will avoid to commit / modify / delete the unencrypted key by mistake on the CI. Then add the commands to decrypt the ssh private key and make it available to git
:
Delete the local private key as it won't be used anymore:
Commit the encrypted private key and the .travis.yml
file to your repository:
First we encrypt the git_deploy_key
(private key) using a symmetric encryption (AES-256). Run the following openssl
command and make sure to note the output which we'll need later:
REPO_ENC_KEY
- the key
(KKK) value from the openssl
step above.
REPO_ENC_IV
- the iv
(VVV) value from the openssl
step above.
Then add to your .circleci/config.yml
the commands to decrypt the ssh private key and make it available to git
:
The unencrypted key is written to /tmp
to avoid to commit / modify / delete the unencrypted key by mistake on the CI environment.
Delete the local private key as it won't be used anymore:
Commit the encrypted private key and the .circleci/config.yml
file to your repository:
See for more details.
Install the :
to Travis with the CLI:
Add the variable SSH_PASSPHRASE
to Travis with the value set during the step:
the git_deploy_key
(private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:
See for more details.
Add the following to Circle CI:
SSL_PASSPHRASE
- the value set during the step.