Merge pull request #98 from shimataro/develop

version 1.6.3

.markdownlint.yml

@@ -4,3 +4,4 @@ MD013:
   line_length: 255
 MD024:
   siblings_only: true
+MD026: false

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.6.3] - 2020-01-27
+
+### Others
+
+* add FAQ
+
 ## [1.6.2] - 2020-01-25
 
 ### Others
@@ -65,7 +71,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 * First release.
 
-[Unreleased]: https://github.com/shimataro/ssh-key-action/compare/v1.6.2...HEAD
+[Unreleased]: https://github.com/shimataro/ssh-key-action/compare/v1.6.3...HEAD
+[1.6.3]: https://github.com/shimataro/ssh-key-action/compare/v1.6.2...v1.6.3
 [1.6.2]: https://github.com/shimataro/ssh-key-action/compare/v1.6.1...v1.6.2
 [1.6.1]: https://github.com/shimataro/ssh-key-action/compare/v1.6.0...v1.6.1
 [1.6.0]: https://github.com/shimataro/ssh-key-action/compare/v1.5.0...v1.6.0

README.md

@@ -74,6 +74,49 @@ steps:
   run: scp ./foo/ target:bar/
 ```
 
+## Q&A
+
+### SSH failed even though key has been installed.
+
+Check belows:
+
+* `Load key "/HOME/.ssh/id_rsa": invalid format`:
+    * OPENSSH format (key begins with `-----BEGIN OPENSSH PRIVATE KEY-----`) may not work.
+    * Use PEM format (begins with `-----BEGIN RSA PRIVATE KEY-----`).
+* `Host key verification failed.`:
+    * Set `known-hosts` option or use `ssh -o StrictHostKeyChecking=no`.
+    * The former is **HIGHLY** recommended for security reason.
+    * I'm planning to make `known-hosts` required in v2.
+
+### How do I use encrypted SSH key?
+
+This action doesn't support encrypted key directly.
+Here are some solutions:
+
+* decrypting key beforehand: best bet, and works on any VM
+* `sshpass` command: next best bet, but not supported on Windows
+* `expect` command: be careful not to expose passphrase to console
+* `SSH_ASKPASS` environment variable: might be troublesome
+
+### Which one is the best way for transferring files, "direct SCP/SFTP/rsync" or "SCP/SFTP/rsync via bastion"?
+
+I recommend **rsync via bastion**.
+It has some advantages over other methods:
+
+* "Rsync via bastion" doesn't require to update workflow files and `secrets` even if it is necessary to transfer files to multiple servers.
+    * Other methods require to update `known-hosts` if servers have changed.
+* Rsync:
+    * is fastest of all.
+    * does **NOT** break files even if disconnected during transferring.
+    * can remove files that don't exist on server.
+* SCP is [deprecated by OpenSSH](https://www.openssh.com/txt/release-8.0) due to outdated and inflexible protocol.
+* Using bastion is more secure because:
+    * it is not necessarily to expose SSH port on servers to public.
+        * Address filtering is less effective.
+        * Because Azure address range is [very wide](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#ip-addresses-of-github-hosted-runners).
+        * And will be updated continuously.
+    * if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion.
+
 ## License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "install-ssh-key",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "private": true,
   "description": "Install SSH key in .ssh",
   "main": "lib/main.js",

scripts/create-release-branch.sh

@@ -119,12 +119,13 @@ function update_package_version() {
 }
 
 function update_dependencies_version() {
+	npm ci
 	npm run check-updates -- -u
 }
 
 function regenerate_package_lock() {
-	rm -rf package-lock.json node_modules &&
-		npm install
+	rm -rf package-lock.json node_modules
+	npm install
 }
 
 function build_package() {
@@ -135,9 +136,9 @@ function build_package() {
 function commit_changes() {
 	local VERSION=$1
 
-	npm ci --only=production &&
-		git add CHANGELOG.md package.json package-lock.json node_modules lib &&
-		git commit -m "version ${VERSION}"
+	npm ci --only=production
+	git add CHANGELOG.md package.json package-lock.json node_modules lib
+	git commit -m "version ${VERSION}"
 }
 
 function finish() {