SSH Deploy from CI

How to deploy to GitHub pages from CI using SSH to authenticate.

Often we want to deploy a static site (like this Hexo blog) to GitHub pages. Often we cannot use access token, and just need SSH. We can do it from a local terminal via SSH, but how do we deploy from a CI?

Turns out it is simple to do from CIs that allow SSH deploy keys. CircleCI is one of them. Once you have a GitHub repository, create a CircleCI project. This will create a read-only SSH key to checkout the repository. Delete it! Instead you need to add a new read-write SSH key that will be used to checkout code and to upload GitHub pages.

  1. Create a new dedicated SSH key for this particular CI project to be used with this repository. This way the security of other projects will not be jeopardized by reusing the same SSH key. See How to create SSH key.

    1
    $ ssh-keygen -t rsa -b 4096 -C "[email protected]"

    important: set empty password when creating the key.

    very important: do not overwrite your regular ~/.ssh/id_rsa file! I prefer to save the new SSH key in the current folder with some random name, like foo. This will write two files: the private key file foo and the corresponding public key file foo.pub You should delete these files after uploading them to GitHub (public file) and to CI (private file).

  2. You can add the newly created public SSH key (file ending with .pub) to the GitHub repository at https://github.com/<username>/<repo name>/settings/keys.

    important: - make sure the new key has write access.

  3. You can delete and upload new private SSH key to CircleCI at https://circleci.com/gh/<username>/<project name>/edit#ssh page.

  4. Delete the local files - if you need to redo the link, just generate another SSH key.

That's it. Now things like git push [email protected]:<username>/<repo name>.git should work, because the local CircleCI process can authenticate and is permitted to push code to this particular GitHub repository.