how to add heroku ssh keys to known_hosts (used to work before)-CodePudding

I'm having a CI pipeline where I deploy to Heroku (on gitlab). I don't want to use my personal api key, since this is a shared repository. So I had this CI-config working until a few weeks ago:

deploy-heroku:
  variables:
    GIT_DEPTH: 200
  stage: deploy
  only:
    - master
  except:
    - schedules
  script:
    - apk update && apk upgrade && apk add curl bash git openssh-client
    - curl https://cli-assets.heroku.com/install.sh | sh
    - heroku git:remote -a $HEROKU_APP_NAME --ssh-git
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
    - chmod 700 ~/.ssh/id_ed25519
    - eval "$(ssh-agent -s)"
    - ssh-add ~/.ssh/id_ed25519
    - ssh-keyscan -H 'heroku.com' >> ~/.ssh/known_hosts
    - git push -f heroku HEAD:master --no-verify

This worked flawlessly, and in the logs:

$ ssh-keyscan -H 'heroku.com' >> ~/.ssh/known_hosts
# heroku.com:22 SSH-2.0-endosome
# heroku.com:22 SSH-2.0-endosome
# heroku.com:22 SSH-2.0-endosome
# heroku.com:22 SSH-2.0-endosome
# heroku.com:22 SSH-2.0-endosome

However, since a few weeks, this fails on the ssh-keyscan:

$ ssh-keyscan -H 'heroku.com' >> ~/.ssh/known_hosts
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

So it seems the ssh-keyscan doesn't work anymore. When running ssh-keyscan -H 'heroku.com', it doesn't give any results anymore (it used to give some results).

How to make the keyscan work (or how to make sure the right keys are in known_hosts)?

Or, more general: how to make the heroku deployment work without using a personal API key?

CodePudding user response：

git over ssh was deprecated and removed from Heroku.

This script does work:

    - apk update && apk upgrade && apk add curl bash git openssh-client
    - curl https://cli-assets.heroku.com/install.sh | sh
    - git push  --no-verify https://heroku:[email protected]/$HEROKU_APP_NAME.git HEAD:master

In this case, the --no-verify is necessary, because git looks for git-lfs in one of the hooks. With the --no-verify flag, this hook is skipped.

The HEROKU_API_KEY can be generated locally, when you login to heroku and generate a long-living key:

$ heroku login
heroku: Press any key to open up the browser to login or q to exit:
Opening browser to https://cli-auth.heroku.com/auth/cli/browser/89f5...?requestor=SFMyN...
Logging in... done
Logged in as ...
$ heroku authorizations:create
Creating OAuth Authorization... done
Client:      <none>
ID:          ...
Description: Long-lived user authorization
Scope:       global
Token:       <HEROKU_API_KEY>
Updated at:  Tue Apr 12 2022 17:34:15 GMT 0200 (Central European Summer Time) (less than a minute ago)

Get the api key from the token field. (You can check all the tokens/keys by ID with heroku authorizations)

Add both HEROKU_API_KEY and HEROKU_APP_NAME as protected variables in your repository.