Update composer-require-checker to v4.5.0

So #3042 is a … solution?

I haven't used Docker-based build images so far, I don't know...

The only explanation would be when this action webfactory/ssh-agent is run inside the Docker container. Is that the case?

If it is run outside (on the runner), then the known_hosts entry should already be present.

@stof you fixed something related to circular dependencies in #7260 a while ago, so maybe you’re familiar enough with this topic to give a review?

Thanks!

This seems not to be related with this issue, is it?

Graag gedaan

Do a case-sensitive search with you IDE for personne, maybe you wrote it that way somewhere?

Released: https://github.com/webfactory/ssh-agent/releases/tag/v0.8.0

@na-jakobs WDYT?

😭

• GH hosted runners should be fine, they ship with SSH keys maintained by GitHub
• Self hosted runners may be a problem, but if they used this action before, they still have the (old!) key in their known_hosts file. Admins will probably have to fix things manually anyway?
• For new self-hosted runners, people should be responsible for setting up keys themselves.

Am I missing anything?

In index.js you are always executing fs.appendFileSync. We are using self-hosted runners and such behaviour lead us to known_hosts reaching almost 4k of same lines and breaking some git clone-related steps. Manually removing this file helped us, but I think it should be done automatically in your post-step action.

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

After the job is done the ssh key persists in the self-hosted runner and eventually the keys build up into a larger and larger file. This also conflicts with other repo's runners.

We need to fix the SSH keys shipped with this action: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

But, we have another issue (https://github.com/webfactory/ssh-agent/pull/108) with regards to host keys: On self-hosted runners which are not ephemeral the known_host file fills up with repeated entries, because every action run adds a new line with the same host keys.

Also, on those machines, the old key will still be in the known_hosts file.

IMHO this action should not be repsonsible for shipping SSH host keys, that's too much responsibility.

This section in the code is a leftover from early days when GitHub provided runners did not include SSH keys at all. For a long time already, GH takes care of placing their SSH keys in their runner images.

For self-hosted runners, those people setting up the runner should fetch and verify SSH keys themselves and put it into the known_hosts file.

I know this is a breaking change and is going to annoy users. But on the other hand, there is no better opportunity to drop this feature than with an emergency-style key revocation as today.

Closes #106, closes #129, closes #169, closes #170, closes #172.

After the job is done the ssh key persists in the self-hosted runner and eventually the keys build up into a larger and larger file. This also conflicts with other repo's runners.

Stop adding GitHub SSH keys (#171)

We need to fix the SSH keys shipped with this action: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

But, we have another issue (https://github.com/webfactory/ssh-agent/pull/108) with regards to host keys: On self-hosted runners which are not ephemeral the known_host file fills up with repeated entries, because every action run adds a new line with the same host keys.

Also, on those machines, the old key will still be in the known_hosts file.

IMHO this action should not be repsonsible for shipping SSH host keys, that's too much responsibility.

This section in the code is a leftover from early days when GitHub provided runners did not include SSH keys at all. For a long time already, GH takes care of placing their SSH keys in their runner images.

For self-hosted runners, those people setting up the runner should fetch and verify SSH keys themselves and put it into the known_hosts file.

I know this is a breaking change and is going to annoy users. But on the other hand, there is no better opportunity to drop this feature than with an emergency-style key revocation as today.

Closes #106, closes #129, closes #169, closes #170, closes #172.

We have another issue (#108) with regards to host keys: On self-hosted runners which are not ephemeral the known_host file fills up with repeated entries, because every action run adds a new line with the same host keys.

Also, on those machines, the old key will still be in the known_hosts file.

IMHO this action should not be repsonsible for shipping SSH host keys, that's too much responsibility 😄 .

This section in the code is a leftover from early days when GitHub provided runners did not include SSH keys at all. For a long time already, GH takes care of placing their SSH keys in their runner images.

For self-hosted runners, those people setting up the runner should fetch and verify SSH keys themselves and put it into the known_hosts file.

I know this is a breaking change and is going to annoy users. But on the other hand, there is no better opportunity to drop this feature than with an emergency-style key revocation as today.

@derrabus, @greg0ire or @SenseException – can we try to get this merged in the near future? I have the impression it would de-block people who are kind enough to try 2.15-dev in their CI pipelines.