feat(updater): Add SSH key support and comprehensive authentication validation #134
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Addresses GitHub Actions checkout authentication issues by: - Adding early token validation with clear error messages - Configuring git credentials explicitly to prevent "terminal prompts disabled" errors This helps prevent and diagnose common token issues like: - Expired tokens - Missing expiration dates - Insufficient scopes - Incorrect secret references Related to actions/checkout#664 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Checks token scopes using x-oauth-scopes header: - Reports scopes for classic PATs - Warns if repo/public_repo scope missing - Provides guidance for fine-grained PATs Based on https://github.com/orgs/community/discussions/25259
Shows detailed information when whitespace is detected: - Token length - Position of whitespace character - Type of whitespace (newline, space, tab, etc) This helps quickly identify malformed token secrets.
Detects when an SSH private key is mistakenly passed as api-token. Provides clear error message explaining the difference between SSH keys and GitHub tokens. This catches the error before the generic whitespace check.
Changes: - Add ssh-key input parameter - Make api-token optional when ssh-key is provided - Pass ssh-key to actions/checkout steps - Skip token validation when using SSH key - Skip git credential config when using SSH key - Validate that only one auth method is provided This allows the action to work with deploy keys, matching the functionality of the previous reusable workflow implementation. Refs: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-using-ssh-deploy-keys
SSH key can be used for git operations while token is used for GitHub API calls (gh commands, PR creation, etc). This is a valid and useful configuration.
Changes: - Step 1: Validate authentication inputs (checks at least one is present) - Step 2: Validate API token (runs only if token provided) - Step 3: Validate SSH key (runs only if SSH key provided) Benefits: - Clearer separation of concerns - Easier to read and maintain - Each validation only runs when relevant - SSH key validation now checks format
The actions/checkout action already handles git credential configuration when token or ssh-key is provided. Manual configuration was redundant and could potentially interfere with checkout's credential handling.
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
When using only ssh-key (no api-token), GH_TOKEN was set to empty string,
causing gh CLI to refuse authentication instead of falling back to the
default GITHUB_TOKEN. This broke critical steps that use gh api:
- Parse existing PR URL
- Get changelog
- Update dependency (when filtering by GH release titles)
Changed all instances of:
GH_TOKEN: ${{ inputs.api-token }}
To:
GH_TOKEN: ${{ inputs.api-token || github.token }}
This ensures gh CLI always has valid authentication.
Fixes seer-by-sentry review comment:
#134 (comment)
vaind
changed the title
|
antonis
added a commit
to getsentry/sentry-react-native
that referenced
this pull request
Oct 9, 2025
10 tasks
antonis
added a commit
to getsentry/sentry-react-native
that referenced
this pull request
Oct 10, 2025
…king changes (#5218) * fix(deps): Fix workflow runs breakage after bump to v3 * Temporarily add the current branch for testing * Update React Native * Remove unneeded default strategy * Update Sentry updater action version in workflow * Update Sentry updater action version in workflow * Update Sentry updater action version in workflow * Update Sentry updater action version in workflow * Update update-deps.yml * Update update-deps.yml * Update GitHub Actions updater version and token type * Update update-deps.yml * Test all all update-deps with changes from getsentry/github-workflows#134 * Update updater action to version 3 in workflows * Revert "Temporarily add the current branch for testing" This reverts commit 26e20ad. --------- Co-authored-by: Ivan Dlugos <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Enhances the updater action with comprehensive authentication validation and adds SSH key support as an alternative to token-based authentication.
Closes #128
Problem
The updater action could fail with cryptic "terminal prompts disabled" errors when there are authentication issues. Based on actions/checkout#664, common causes include:
Additionally, the action didn't support SSH deploy keys after the v3.0 migration from reusable workflow to composite action. In v2, SSH keys could be passed via
api-token, but this stopped working in v3.0.Solution
Authentication Validation (3 separate steps)
SSH Key Support
ssh-keyinput parameterapi-tokenoptional whenssh-keyis providedError Messages
Provides detailed, actionable error messages for common issues:
Changes
ssh-keyinput parameterapi-tokenoptional (requires eitherapi-tokenorssh-key)tokenandssh-keytoactions/checkoutTest Results
✅ Verified working in https://github.com/getsentry/sentry-react-native/actions/runs/18375302113/job/52347744634?pr=5218
Breaking Changes
If you were passing SSH keys via
api-tokenin v3.0: You must now use thessh-keyinput instead.Note: If you're already using tokens correctly (not SSH keys), no changes are needed.
🤖 Generated with Claude Code