Unable to create a "write" key for our GitHub Repo

We have a handful of our GitHub repos that use Circle for the build and deploy process. They were set up by an employee that is no longer here.

Part of the production deploy process does some syncing and rebasing across branches in our repo, which has broken since we removed that employee from our GitHub account.

I’ve tried adding new checkout keys, but none of that seems to work for actually “writing” to the repo. I can add a Read-Only deploy key, which allows the check-out to happen, but that’s as far as I can get.

Ultimately, I want the former employee’s key to be removed and mine added in its place or the ability to otherwise add a key that has write access to the GitHub repo. As far as I can tell, there is no way under Project Settings > Checkout SSH Keys for me to change to another user.

Any ideas?

I would assume that controlling user accounts just happens inside GitHub. If the SSH key is completely invalidated then it is correct for it to no longer work. Just create a new one, and then put the appropriate public and private keys in the right screens between GitHub and CircleCI (and for tidiness, remove the old key from CircleCI, even if it is deleted/invalidated at GitHub).

I’ve tried that using the information found here and it did nothing. I still have errors with permissions when trying to sync the branches.

I’ll revalidate the keys and have another crack at it.

Could you expand on what errors you get, and what Git operations you are doing to perform a sync?

This is the step that is failing in my config.yaml.

...
  sync_branches:
    <<: *defaults
    steps:
      - checkout
      - add_ssh_keys:
          fingerprints:
            - "6b:83:f2:26:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:60:9e"
            - "e8:cf:f2:20:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:74:67"
      - run:
          name: Rebase master onto production
          command: |
            git checkout master && \
            git rebase origin/production && \
            git push origin master
...

The error I get is:

ERROR: The key you are authenticating with has been marked as read only.
fatal: Could not read from remote repository.

I’ve tried adding multiple keys to GitHub and CircleCi and verified the keys are set to read/write on both ends.

OK, you have two keys specified here - you only normally need one. Try finding out the fingerprint of the r/w key, and then specify that. If that does not work then try removing the fingerprints section totally - it is optional, and if you do not have it I think it will pull all keys.

Of course, it is worth having a tidy-up in your CircleCI project settings to ensure there are no dead keys in there, and to ensure you have the right ones.

Finally if all the above persists, get a build with SSH, let it fail, and then cat the key inside an SSH session. Ultimately what you need to do is to find out whether it is writing the correct key to the .ssh folder. If it is, and it is still not working, you would then need to use SSH debug mode (inside Git) to see why the remote is refusing the key. My guess however is that the wrong key is being added on the CircleCI side - can you dig into that?

So here’s what I ended up having to do.

Under Settings > Permissions > Checkout Keys there were two keys. One for the former employee and a “deploy key”. The deploy key has read access, but not write access. From what I could tell, there was no way to add another “user key”.

The secret was that I needed to delete the former employee’s key. This gave the option to add another user key.

Now everything works.

You’re welcome