Can we use GitHub deploy keys to get dependencies from multiple private repositories

[chetanyakan]

I am trying to install 2 or more private GitHub repositories as an NPM dependency to another project.

In my package.json file, I have dependencies from GitHub in the following format:

    "***-plugin": "git+ssh://git@github.com:***/******.git#1bdfa1248fe92b4ba239aca37c686c72898ccab5",

The following is a part of my github action yml file:

      - name: Setup SSH Keys and known_hosts
        uses: webfactory/ssh-agent@v0.3.0
        with:
          ssh-private-key: |
            ${{ secrets.SSH_PRIVATE_KEY }}
            ${{ secrets.ANOTHER_SSH_PRIVATE_KEY }}

The SSH_PRIVATE_KEYs are added as deploy keys to this repo.

In the next step, I try to run npm install.
Now based on the order of the private keys, only one of these dependencies installs successfully.
I have tried to change the order of these ssh keys, which changes the dependency that cannot be installed.

Is it possible to use deploy keys to access both the private repositories in this case?
Let me know if you need more information.

[mpdude]

Yes, basically that should work. It’s also described at https://github.com/webfactory/ssh-agent/blob/master/README.md#using-multiple-keys.

Can you see in the action output that both keys have been added to the agent?

Could it be that your remote server fails already after one wrong key has been presented?

[chetanyakan]

Yes. I can see that both the keys were installed. Here's a part of the output from my github actions:

 Setup SSH Keys and known_hosts                                     1s

Run webfactory/ssh-agent@v0.3.0
  with:
    ssh-private-key: ***
  ***
  env:
    GOROOT: /opt/hostedtoolcache/go/1.14.2/x64

Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
Adding private key to agent
Identity added: (stdin) ((stdin))
Identity added: (stdin) ((stdin))
Keys added:
4096 SHA256:nIm8JFZytuVAb/RN1LYFg+ABZrlokJjzpFsKz4FvsO0 (stdin) (RSA)
4096 SHA256:OyXgFF71To+5RlZrSesEMCqae4LqtsiESn0+WjgUYQs (stdin) (RSA)

The next step, which includes npm install fails:

npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/**redacted**/**redacted**.git
npm ERR! 
npm ERR! Warning: Permanently added the RSA host key for IP address '140.82.112.3' to the list of known hosts.
npm ERR! ERROR: Repository not found.
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
npm ERR! 
npm ERR! exited with error code: 128

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2020-06-15T10_37_47_273Z-debug.log
make: *** [webapp/.npminstall] Error 1
Makefile:187: recipe for target 'webapp/.npminstall' failed
##[error]Process completed with exit code 2.

[mpdude]

Could you please try to take npm out of the equation, by running two git clone commands directly from your action?

Use GIT_SSH_COMMAND="ssh -v" git clone <REPO_SSH>, so we get a little more details of where ssh fails.

[felixapitzsch]

+1
I have the same problem with github actions: fetching two private repos with two deployment keys fails.
I just tried to replace npm ci with git clone -v ssh://git@github.com/... , but the error stays the same:

4096 SHA256: ... (RSA)
4096 SHA256: ... (RSA)
Cloning into 'my-repo'...
Warning: Permanently added the RSA host key for IP address '140.82.113.3' to the list of known hosts.
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
##[error]Process completed with exit code 128.

[felixapitzsch]

... using webfactory/ssh-agent@v0.4.0

[chetanyakan]

@felixapitzsch I haven't really had a chance to try the suggestions by @mpdude but I was able to get around the problem by creating GitHub Packages for both my private dependencies and then using those in my package.json file.

[mpdude]

Oh wait!

Where did you add which key?

If you have one repo running the action, and you need to fetch two private dependencies, then you need to create one SSH key.

The private part of it is added as the secret for the repo where the action is run. You just need to add this one key with the action.

The public key part is added in both private repos that you depend upon. Set it up as a deployment key in each one.

The deployment key basically says "when someone comes along and has an SSH key whose public part matches, they may read (or write) to this repo".

Does that make sense?

[mpdude]

Also see this improvement for the README: 5ef9e03#diff-04c6e90faac2675aa89e2176d2eec7d8

[felixapitzsch]

I have three private repositories on github, let's call them A, B, and C. A holds an app, while B and C hold libs. A uses B and C as dependencies (in package.json) and has a github action for npm build and sftp deploy on each push to master. Repositories B and C have a deployment key (public key).

My first attempt was trying to use the same pubilc key as a deployment key on B and C. However, github refuses to register the same public key for more than one repository and give some "already in use" error. Therefore, I was forced to add two different deployment keys for B and C.

Repository A holds the two matching private keys as secrets. Actually adding more than one of these private keys will reproduce the issue described above. Adding only one of the private keys will make cloning one of B/C work and the other one fail with permissons denied (as it should be).

If github would just allow reusing the same public key as a deployment key for B and C, everything would be so easy and straight forward ...

[mpdude]

My first attempt was trying to use the same pubilc key as a deployment key on B and C. However, github refuses to register the same public key for more than one repository and give some "already in use" error. Therefore, I was forced to add two different deployment keys for B and C.

I wasn't aware of that, good to know!

Could you please try to add both private keys on your repo A and then try to clone B and C from an action using GIT_SSH_COMMAND="ssh -vv" git clone ...url...?

That should give some SSH verbosity to understand what ssh (run by git) is trying to do.

[mpdude]

Possible explanation: When connecting to the repo where the private key is the second one, GitHub might actually recognize/accept the first key, because it is known. Then, however, the git operation fails because the key is not allowed to access this particular repo.

My guess is the SSH handshake happens before GitHub can know about which repo is requested, so they have no chance of rejecting the "wrong" key in the first place.

[mpdude]

https://superuser.com/questions/273037/using-the-identityfile-directive-in-ssh-config-when-agentforwarding-is-in-use

Not sure if we will be able to come up with a neat solution in this action, though 🤕

[felixapitzsch]

---

2020-07-02T11:00:27.1232799Z ##[endgroup]
2020-07-02T11:00:27.1656496Z Adding GitHub.com keys to /home/runner/.ssh/known_hosts
2020-07-02T11:00:27.1668218Z Starting ssh-agent
2020-07-02T11:00:27.2279376Z Adding private key to agent
2020-07-02T11:00:27.3188507Z Identity added: (stdin) (ci@mycompany.com)
2020-07-02T11:00:27.3294638Z Identity added: (stdin) (ci@mycompany.com)
2020-07-02T11:00:27.3296086Z Keys added:
2020-07-02T11:00:27.3344158Z 4096 SHA256:uExQ59z4kx1VhLOpci+JjGQaokEA6oA123456L6U/Ds ci@mycompany.com (RSA)
2020-07-02T11:00:27.3346682Z 4096 SHA256:8IsBSAThA123456xZsB197v9TmDdTYS5s46YhSrY2xI ci@mycompany.com (RSA)
2020-07-02T11:00:27.3488956Z ##[group]Run ssh-add -l
2020-07-02T11:00:27.3490067Z �[36;1mssh-add -l�[0m
2020-07-02T11:00:27.3491120Z �[36;1mGIT_SSH_COMMAND="ssh -vv" git clone -v git@github.com:mycompany/repo-b.git�[0m
2020-07-02T11:00:27.3492496Z �[36;1mGIT_SSH_COMMAND="ssh -vv" git clone -v git@github.com:mycompany/repo-c.git�[0m
2020-07-02T11:00:27.3493680Z �[36;1mnpm ci�[0m
2020-07-02T11:00:27.3494604Z �[36;1mnpm run start:build�[0m
2020-07-02T11:00:27.3538134Z shell: /bin/bash -e {0}
2020-07-02T11:00:27.3539071Z env:
2020-07-02T11:00:27.3539996Z SSH_AUTH_SOCK: /tmp/ssh-01KYofN3MhoM/agent.2600
2020-07-02T11:00:27.3541017Z SSH_AGENT_PID: 2601
2020-07-02T11:00:27.3542435Z ##[endgroup]
2020-07-02T11:00:27.3654376Z 4096 SHA256:uExQ59z4kx1VhLOpci+JjGQaokEA6oA123456L6U/Ds ci@mycompany.com (RSA)
2020-07-02T11:00:27.3655945Z 4096 SHA256:8IsBSAThA123456xZsB197v9TmDdTYS5s46YhSrY2xI ci@mycompany.com (RSA)
2020-07-02T11:00:27.3673950Z Cloning into 'repo-b'...
2020-07-02T11:00:27.3769277Z OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
2020-07-02T11:00:27.3770672Z debug1: Reading configuration data /etc/ssh/ssh_config
2020-07-02T11:00:27.3795009Z debug1: /etc/ssh/ssh_config line 19: Applying options for *
2020-07-02T11:00:27.3800905Z debug2: resolving "github.com" port 22
2020-07-02T11:00:27.3807414Z debug2: ssh_connect_direct: needpriv 0
2020-07-02T11:00:27.3808684Z debug1: Connecting to github.com [140.82.113.3] port 22.
2020-07-02T11:00:27.3825566Z debug1: Connection established.
2020-07-02T11:00:27.3826675Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3828258Z debug1: identity file /home/runner/.ssh/id_rsa type -1
2020-07-02T11:00:27.3829440Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3830835Z debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
2020-07-02T11:00:27.3832050Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3833400Z debug1: identity file /home/runner/.ssh/id_dsa type -1
2020-07-02T11:00:27.3834579Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3835970Z debug1: identity file /home/runner/.ssh/id_dsa-cert type -1
2020-07-02T11:00:27.3837541Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3839053Z debug1: identity file /home/runner/.ssh/id_ecdsa type -1
2020-07-02T11:00:27.3840245Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3841625Z debug1: identity file /home/runner/.ssh/id_ecdsa-cert type -1
2020-07-02T11:00:27.3842852Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3844236Z debug1: identity file /home/runner/.ssh/id_ed25519 type -1
2020-07-02T11:00:27.3845400Z debug1: key_load_public: No such file or directory
2020-07-02T11:00:27.3846789Z debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1
2020-07-02T11:00:27.3848279Z debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
2020-07-02T11:00:27.3870821Z debug1: Remote protocol version 2.0, remote software version babeld-ffbef2ae
2020-07-02T11:00:27.3872378Z debug1: no match: babeld-ffbef2ae
2020-07-02T11:00:27.3873437Z debug2: fd 3 setting O_NONBLOCK
2020-07-02T11:00:27.3874697Z debug1: Authenticating to github.com:22 as 'git'
2020-07-02T11:00:27.3876122Z debug1: SSH2_MSG_KEXINIT sent
2020-07-02T11:00:27.3877696Z debug1: SSH2_MSG_KEXINIT received
2020-07-02T11:00:27.3878756Z debug2: local client KEXINIT proposal
2020-07-02T11:00:27.3881511Z debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
2020-07-02T11:00:27.3884894Z debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
2020-07-02T11:00:27.3887358Z debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
2020-07-02T11:00:27.3889467Z debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
2020-07-02T11:00:27.3891990Z debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2020-07-02T11:00:27.3895019Z debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2020-07-02T11:00:27.3896639Z debug2: compression ctos: none,zlib@openssh.com,zlib
2020-07-02T11:00:27.3897802Z debug2: compression stoc: none,zlib@openssh.com,zlib
2020-07-02T11:00:27.3898910Z debug2: languages ctos:
2020-07-02T11:00:27.3899895Z debug2: languages stoc:
2020-07-02T11:00:27.3900884Z debug2: first_kex_follows 0
2020-07-02T11:00:27.3901894Z debug2: reserved 0
2020-07-02T11:00:27.3902915Z debug2: peer server KEXINIT proposal
2020-07-02T11:00:27.3904844Z debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
2020-07-02T11:00:27.3906622Z debug2: host key algorithms: ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa
2020-07-02T11:00:27.3908693Z debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
2020-07-02T11:00:27.3910975Z debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
2020-07-02T11:00:27.3913158Z debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2020-07-02T11:00:27.3915300Z debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2020-07-02T11:00:27.3916798Z debug2: compression ctos: none,zlib,zlib@openssh.com
2020-07-02T11:00:27.3918192Z debug2: compression stoc: none,zlib,zlib@openssh.com
2020-07-02T11:00:27.3919297Z debug2: languages ctos:
2020-07-02T11:00:27.3920295Z debug2: languages stoc:
2020-07-02T11:00:27.3922461Z debug2: first_kex_follows 0
2020-07-02T11:00:27.3923556Z debug2: reserved 0
2020-07-02T11:00:27.3924894Z debug1: kex: algorithm: curve25519-sha256
2020-07-02T11:00:27.3926229Z debug1: kex: host key algorithm: rsa-sha2-512
2020-07-02T11:00:27.3928761Z debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
2020-07-02T11:00:27.3930700Z debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
2020-07-02T11:00:27.3932107Z debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
2020-07-02T11:00:27.4472710Z debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
2020-07-02T11:00:27.4474661Z debug1: Host 'github.com' is known and matches the RSA host key.
2020-07-02T11:00:27.4475930Z debug1: Found key in /home/runner/.ssh/known_hosts:2
2020-07-02T11:00:27.4479078Z Warning: Permanently added the RSA host key for IP address '140.82.113.3' to the list of known hosts.
2020-07-02T11:00:27.4496759Z debug2: set_newkeys: mode 1
2020-07-02T11:00:27.4497892Z debug1: rekey after 134217728 blocks
2020-07-02T11:00:27.4498904Z debug1: SSH2_MSG_NEWKEYS sent
2020-07-02T11:00:27.4499934Z debug1: expecting SSH2_MSG_NEWKEYS
2020-07-02T11:00:27.4516862Z debug1: SSH2_MSG_NEWKEYS received
2020-07-02T11:00:27.4518123Z debug2: set_newkeys: mode 0
2020-07-02T11:00:27.4519403Z debug1: rekey after 134217728 blocks
2020-07-02T11:00:27.4520733Z debug2: key: ci@mycompany.com (0x5608cd2445b0), agent
2020-07-02T11:00:27.4522067Z debug2: key: ci@mycompany.com (0x5608cd245830), agent
2020-07-02T11:00:27.4523243Z debug2: key: /home/runner/.ssh/id_rsa ((nil))
2020-07-02T11:00:27.4524451Z debug2: key: /home/runner/.ssh/id_dsa ((nil))
2020-07-02T11:00:27.4527187Z debug2: key: /home/runner/.ssh/id_ecdsa ((nil))
2020-07-02T11:00:27.4529084Z debug2: key: /home/runner/.ssh/id_ed25519 ((nil))
2020-07-02T11:00:27.4535429Z debug1: SSH2_MSG_EXT_INFO received
2020-07-02T11:00:27.4537652Z debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
2020-07-02T11:00:27.4953389Z debug2: service_accept: ssh-userauth
2020-07-02T11:00:27.4954671Z debug1: SSH2_MSG_SERVICE_ACCEPT received
2020-07-02T11:00:27.4969984Z debug1: Authentications that can continue: publickey
2020-07-02T11:00:27.4971435Z debug1: Next authentication method: publickey
2020-07-02T11:00:27.4972878Z debug1: Offering public key: RSA SHA256:uExQ59z4kx1VhLOpci+JjGQaokEA6oA123456L6U/Ds ci@mycompany.com
2020-07-02T11:00:27.4974237Z debug2: we sent a publickey packet, wait for reply
2020-07-02T11:00:27.5100038Z debug1: Authentications that can continue: publickey
2020-07-02T11:00:27.5101529Z debug1: Offering public key: RSA SHA256:8IsBSAThA123456xZsB197v9TmDdTYS5s46YhSrY2xI ci@mycompany.com
2020-07-02T11:00:27.5102907Z debug2: we sent a publickey packet, wait for reply
2020-07-02T11:00:27.5436834Z debug1: Server accepts key: pkalg ssh-rsa blen 535
2020-07-02T11:00:27.5439881Z debug2: input_userauth_pk_ok: fp SHA256:8IsBSAThA123456xZsB197v9TmDdTYS5s46YhSrY2xI
2020-07-02T11:00:27.5537093Z debug1: Authentication succeeded (publickey).
2020-07-02T11:00:27.5538277Z Authenticated to github.com ([140.82.113.3]:22).
2020-07-02T11:00:27.5539365Z debug2: fd 5 setting O_NONBLOCK
2020-07-02T11:00:27.5540400Z debug2: fd 6 setting O_NONBLOCK
2020-07-02T11:00:27.5541597Z debug2: fd 7 setting O_NONBLOCK
2020-07-02T11:00:27.5543122Z debug1: channel 0: new [client-session]
2020-07-02T11:00:27.5544322Z debug2: channel 0: send open
2020-07-02T11:00:27.5545668Z debug1: Entering interactive session.
2020-07-02T11:00:27.5546685Z debug1: pledge: network
2020-07-02T11:00:27.5560580Z debug2: channel_input_open_confirmation: channel 0: callback start
2020-07-02T11:00:27.5562143Z debug2: fd 3 setting TCP_NODELAY
2020-07-02T11:00:27.5563249Z debug2: client_session2_setup: id 0
2020-07-02T11:00:27.5564260Z debug1: Sending environment.
2020-07-02T11:00:27.5565714Z debug1: Sending env LANG = C.UTF-8
2020-07-02T11:00:27.5566883Z debug2: channel 0: request env confirm 0
2020-07-02T11:00:27.5568388Z debug1: Sending command: git-upload-pack 'mycompany/repo-b.git'
2020-07-02T11:00:27.5569637Z debug2: channel 0: request exec confirm 1
2020-07-02T11:00:27.5570783Z debug2: channel_input_open_confirmation: channel 0: callback done
2020-07-02T11:00:27.5572033Z debug2: channel 0: open confirm rwindow 32000 rmax 35000
2020-07-02T11:00:27.5577820Z debug2: channel_input_status_confirm: type 99 id 0
2020-07-02T11:00:27.5579017Z debug2: exec request accepted on channel 0
2020-07-02T11:00:27.5998098Z debug2: channel 0: rcvd ext data 29
2020-07-02T11:00:27.6001942Z debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
2020-07-02T11:00:27.6003317Z debug2: channel 0: rcvd eof
2020-07-02T11:00:27.6004923Z debug2: channel 0: output open -> drain
2020-07-02T11:00:27.6005988Z debug2: channel 0: rcvd close
2020-07-02T11:00:27.6007012Z debug2: channel 0: close_read
2020-07-02T11:00:27.6008253Z debug2: channel 0: input open -> closed
2020-07-02T11:00:27.6009369Z debug2: channel 0: obuf_empty delayed efd 7/(29)
2020-07-02T11:00:27.6010842Z ERROR: Repository not found.
2020-07-02T11:00:27.6011893Z debug2: channel 0: written 29 to efd 7
2020-07-02T11:00:27.6012935Z debug2: channel 0: obuf empty
2020-07-02T11:00:27.6018952Z debug2: channel 0: close_write
2020-07-02T11:00:27.6020602Z debug2: channel 0: output drain -> closed
2020-07-02T11:00:27.6021732Z debug2: channel 0: almost dead
2020-07-02T11:00:27.6022780Z debug2: channel 0: gc: notify user
2020-07-02T11:00:27.6023808Z debug2: channel 0: gc: user detached
2020-07-02T11:00:27.6024832Z debug2: channel 0: send close
2020-07-02T11:00:27.6025848Z debug2: channel 0: is dead
2020-07-02T11:00:27.6026872Z debug2: channel 0: garbage collecting
2020-07-02T11:00:27.6028212Z debug1: channel 0: free: client-session, nchannels 1
2020-07-02T11:00:27.6029328Z debug1: fd 0 clearing O_NONBLOCK
2020-07-02T11:00:27.6030345Z debug1: fd 1 clearing O_NONBLOCK
2020-07-02T11:00:27.6031371Z debug1: fd 2 clearing O_NONBLOCK
2020-07-02T11:00:27.6032448Z Transferred: sent 4064, received 2448 bytes, in 0.0 seconds
2020-07-02T11:00:27.6033601Z Bytes per second: sent 88314.9, received 53197.5
2020-07-02T11:00:27.6034685Z debug1: Exit status 1
2020-07-02T11:00:27.6035809Z fatal: Could not read from remote repository.
2020-07-02T11:00:27.6036383Z
2020-07-02T11:00:27.6037682Z Please make sure you have the correct access rights
2020-07-02T11:00:27.6038814Z and the repository exists.
2020-07-02T11:00:27.6048757Z ##[error]Process completed with exit code 128.
2020-07-02T11:00:27.6114523Z Post job cleanup.
2020-07-02T11:00:27.6592395Z Stopping SSH agent
2020-07-02T11:00:27.6763031Z Post job cleanup.
2020-07-02T11:00:27.9074004Z [command]/usr/bin/git version
2020-07-02T11:00:27.9075029Z git version 2.27.0
2020-07-02T11:00:27.9081514Z [command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand
2020-07-02T11:00:27.9084589Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2020-07-02T11:00:27.9086883Z [command]/usr/bin/git config --local --name-only --get-regexp http.https://github.com/.extraheader
2020-07-02T11:00:27.9088469Z http.https://github.com/.extraheader
2020-07-02T11:00:27.9134853Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2020-07-02T11:00:27.9139045Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http.https://github.com/.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2020-07-02T11:00:27.9162372Z Cleaning up orphan processes

[felixapitzsch]

Possible explanation: When connecting to the repo where the private key is the second one, GitHub might actually recognize/accept the first key, because it is known. Then, however, the git operation fails because the key is not allowed to access this particular repo.

My guess is the SSH handshake happens before GitHub can know about which repo is requested, so they have no chance of rejecting the "wrong" key in the first place.

That would also be my guess. And I don't see any good way to fix this. A colleague suggested to try something like

GIT_SSH_COMMAND='ssh -i private_key_file -o IdentitiesOnly=yes' git clone user@host:repo.git

or

ssh-agent $(ssh-add /somewhere/yourkey; git clone git@github.com:user/project.git)

explicitly specifying single individual keyfiles for each repository to clone. However, I want to use npm directly instead of using git clone. This would force me to specify repo A and B in my package.json as dependencies located in the local file system and use npm pre-install hooks to call git clone with the matching keyfiles in order to clone the repositories to the local filesystem and install from there. This looks super hacky to me and will not be very feasible when using the same package.json for local development.

Any ideas for a different approach?