This article provides a straightforward method for utilizing GitHub actions to create a temporary SSH shell that can be used for testing on different platforms. The conclusion of this article includes security concern regarding this technique.
Introduction
GitHub has been offering actions for a few years now. These actions are typically used to build software or run tasks associated with a repository. All actions run on a dedicated virtual machine under Ubuntu or macOS, which lasts for up to 6 hours before being terminated.
The purpose of this article is to demonstrate how to use tmate to share a session on that virtual machine as a temporary shell.
Share the GitHub virtual machine
One example of a simple workflow is to use a VM that has been prepared by GitHub. One example of a simple workflow:
on:
workflow_dispatch:
inputs:
os:
description: 'macOS version'
required: true
default: 'latest'
type: choice
options:
- 11
- 12
- 13
- 14
- latest
jobs:
runshell:
runs-on: macos-${{ inputs.os }}
steps:
- name: Install tmate
run:
brew install tmate
- name: Run tmate
run:
tmate -F
defines a job which should be run manually inside Actions tab with
specified version of macOS. After a few minutes, it becomes stuck with
output similar to:
To connect to the session locally, run: tmate -S /tmp/tmate-0/nmAwtR attach
Connecting to ssh.tmate.io...
web session read only: https://tmate.io/t/ro-gkRuawjAS4zSBENGSWzfjVz5j
ssh session read only: ssh ro-gkRuawjAS4zSBENGSWzfjVz5j@nyc1.tmate.io
web session: https://tmate.io/t/2RamqT7nLqYnywJjJ7vyYNsBa
ssh session: ssh 2RamqT7nLqYnywJjJ7vyYNsBa@nyc1.tmate.io
which provides instructions on how to connect to the machine via SSH or HTTP.
The machine will be terminated in 6 hours, but you may terminate it
early by logging in via SSH and killing the tmate process by using the
command killall tmate.
Share nested virtual machine
The same approach can be used to share almost any virtual machine (VM). The only requirements that VM should be available as GitHub action1.
An example how to run OpenBSD as a GitHub action:
on:
workflow_dispatch:
inputs:
os:
description: 'OpenBSD version'
required: true
default: '7.4'
type: choice
options:
- 7.2
- 7.3
- 7.4
jobs:
runshell:
runs-on: ubuntu-latest
steps:
- name: Install OpenBSD VM
uses: vmactions/openbsd-vm@v1
with:
release: ${{ inputs.os }}
mem: 13312
sync: no
prepare:
pkg_add curl
- name: Install tmate
run:
ssh openbsd pkg_add tmate
- name: Run tmate
run:
ssh openbsd tmate -F
Ready-to-use shells collections
Here is a collection of my VMs that I use for development from time to time: https://github.com/catap/shell.
To use it, you need to fork it into your account and run it.
Security concern
However, please note that this solution has a security flaw as it is publicly available.
Once you run an action, anyone can access it and get the connection link, and connect to your machine.
You can reduce the risk by keeping your repository private. However, anyone who knows the connection link can connect to it without any restrictions.
tmate supports a white list of allowed keys, but using it kills the
simplicity of this solution.
This project creates and updates virtual machines for use in GitHub actions: https://github.com/vmactions ↩︎