Git authentication with SSH keys
When using environment variables to set up the Git authentication, the remote Git repository will automatically be accessed via https, independently of the repositoryUrl format configured in the semantic-release Configuration (the format will be automatically converted as needed).
Alternatively the Git repository can be accessed via SSH by creating SSH keys, adding the public one to your Git hosted account and making the private one available on the CI environment.
Note: SSH keys allow to push the Git release tag associated to the released version. Some plugins might also require an API token. See each plugin documentation for additional information.
Generating the SSH keys
In your local repository root:
your_email must be the email associated with your Git hosted account. ssh_passphrase must be a long and hard to guess string. It will be used later.
This will generate a public key in git_deploy_key.pub and a private key in git_deploy_key.
Adding the SSH public key to the Git hosted account
Step by step instructions are provided for the following Git hosted services:
Adding the SSH public key to GitHub
Open the git_deploy_key.pub file (public key) and copy the entire content.
In GitHub Settings, click on SSH and GPG keys in the sidebar, then on the New SSH Key button.
Paste the entire content of git_deploy_key.pub file (public key) and click the Add SSH Key button.
Delete the git_deploy_key.pub file:
See Adding a new SSH key to your GitHub account for more details.
Adding the SSH private key to the CI environment
In order to be available on the CI environment, the SSH private key must be encrypted, committed to the Git repository and decrypted by the CI service.
Step by step instructions are provided for the following environments:
Adding the SSH private key to Travis CI
Install the Travis CLI:
Login to Travis with the CLI:
Add the environment variable SSH_PASSPHRASE to Travis with the value set during the SSH keys generation step:
Encrypt the git_deploy_key (private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:
The travis encrypt-file will encrypt the private key into the git_deploy_key.enc file and output in the console the command to add to your .travis.yml file. It should look like openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out git_deploy_key -d.
Copy this command to your .travis.yml file in the before_install step. Change the output path to write the unencrypted key in /tmp: -out git_deploy_key => /tmp/git_deploy_key. This will avoid to commit / modify / delete the unencrypted key by mistake on the CI. Then add the commands to decrypt the ssh private key and make it available to git:
See Encrypting Files for more details.
Delete the local private key as it won't be used anymore:
Commit the encrypted private key and the .travis.yml file to your repository:
Adding the SSH private key to Circle CI
First we encrypt the git_deploy_key (private key) using a symmetric encryption (AES-256). Run the following openssl command and make sure to note the output which we'll need later:
Add the following environment variables to Circle CI:
SSL_PASSPHRASE- the value set during the SSH keys generation step.REPO_ENC_KEY- thekey(KKK) value from theopensslstep above.REPO_ENC_IV- theiv(VVV) value from theopensslstep above.
Then add to your .circleci/config.yml the commands to decrypt the ssh private key and make it available to git:
The unencrypted key is written to /tmp to avoid to commit / modify / delete the unencrypted key by mistake on the CI environment.
Delete the local private key as it won't be used anymore:
Commit the encrypted private key and the .circleci/config.yml file to your repository:
Last updated