The authenticity of github host can't be stablished

Build Environment
1

With my current Circle CI config, I get this warning prompt (which freezes the job):

The authenticity of host 'github.com (140.82.113.4)' can't be established.
RSA key fingerprint is SHA256:nThbg3kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?

In order to fix it, I use the following workaround:

- run:
    name: Avoid hosts unknown for github
    command: mkdir ~/.ssh/ && echo -e "Host github.com\n\tStrictHostKeyChecking no\n" > ~/.ssh/config

Documented here

However I was wondering if any one found a more cleaner solution for this problem.

I’ve already tried the following:

Below my Circle CI config:

version: 2

defaults: &defaults
  working_directory: ~/repo
  docker:
    - image: circleci/node:latest

jobs:
  test:
    <<: *defaults
    steps:
      - checkout
      - restore_cache:
          keys:
            - v1-dependencies-{{ checksum "package.json" }}
            - v1-dependencies-
      - run: yarn install
      - save_cache:
          paths:
            - node_modules
          key: v1-dependencies-{{ checksum "package.json" }}
      - persist_to_workspace:
          root: ~/repo
          paths: .
      - run: yarn test
      - run: yarn chromatic test --exit-zero-on-changes
  deploy:
    <<: *defaults
    steps:
      - attach_workspace:
          at: ~/repo
      - run:
          name: Avoid hosts unknown for github
          command: mkdir ~/.ssh/ && echo -e "Host github.com\n\tStrictHostKeyChecking no\n" > ~/.ssh/config
      - run:
          name: Install Now CLI
          command: sudo npm install --global --unsafe-perm now
      - run:
          name: Authenticate with registry
          command: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/repo/.npmrc
      - run:
          name: deploy
          command: |
            if [ "${CIRCLE_BRANCH}" == "master" ]; then
                  npm run release && now --token $ZEIT_TOKEN --prod 
            else 
                  now --token $ZEIT_TOKEN
            fi
workflows:
  version: 2
  test-deploy:
    jobs:
      - test:
          filters:
            tags:
              only: /^v.*/
      - deploy:
          requires:
            - test

Basically it fails executing the npm run release script, which requires push permissions to upload the git tags.

2

If you’re going to use deploy keys, which is what you’re trying to do now, you need to use the - add-ssh-keys step to inject the keys.

For pushing back to GitHub though, a user key is best: https://circleci.com/docs/2.0/gh-bb-integration/#controlling-access-via-a-machine-user

3

Your first suggestion makes sense, but I’ve already tried it without success:

  • I have the user key in the project settings in Circle CI
  • That user key created by Circle CI has read/write permissions in github
  • I use the following add_ssh_key config for the deploy job:
  deploy:
    <<: *defaults
    steps:
      - attach_workspace:
          at: ~/repo
      - add_ssh_keys:
          fingerprints:
            - <fingerprint>
      ...

However the job still freezes and shows the same warning prompt as before.

I don’t think I can do the recommended user key method since I cannot access via SSH to Zeit servers in order to create a machine user there, as detailed here

4

@amalv Did you ever figure this problem out? I haven’t found a single CircleCI official response to this problem. I also don’t like the notion of disabling strict key checking. Thanks!

5

This only began happening the past day or so but I ran into this issue while installing Ruby gems from github on port 443.

This isn’t the best way to do this since if someone is spoofing GitHub this could be dangerous but since I’m only doing sandbox testing I’m not so concerned.

I added this command before my bundle install
ssh-keyscan -p 443 ssh.github.com >> ~/.ssh/known_hosts