Add support for SSH Host Key Checking

By default it seems that SSH host key checking has been disabled. This patch makes it optional. If a variable named known_hosts is passed in, the key checking will be enabled. The variable should contain the complete contents of the known_hosts file, which must contain the public key(s) of the host(s) in the inventory.
2025-12-09 14:20:42 -07:00 · 2021-04-04 14:51:37 -04:00
parent aad578fcdd
commit d45b74f42d
4 changed files with 32 additions and 2 deletions
--- a/main.js
+++ b/main.js
@@ -12,6 +12,7 @@ async function main() {
        const key = core.getInput("key")
        const inventory = core.getInput("inventory")
        const vaultPassword = core.getInput("vault_password")
+        const knownHosts = core.getInput("known_hosts")
        const options = core.getInput("options")

        let cmd = ["ansible-playbook", playbook]
@@ -63,10 +64,27 @@ async function main() {
            cmd.push(vaultPasswordFile)
        }

-        process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        if (knownHosts) {
+            const knownHostsFile = ".ansible_known_hosts"
+            fs.writeFileSync(knownHostsFile, knownHosts, { mode: 0600 })
+            core.saveState("knownHostsFile", knownHostsFile)
+            let known_hosts_param = [
+                "--ssh-common-args=",
+                "\"",
+                "-o UserKnownHostsFile=",
+                knownHostsFile,
+                "\""
+            ].join('')
+            cmd.push(known_hosts_param)
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "True"
+        } else {
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        }
+
        process.env.ANSIBLE_FORCE_COLOR = "True"

-        await exec.exec(cmd.join(" "))
+        await exec.exec(cmd.join(' '))
+
    } catch (error) {
        core.setFailed(error.message)
    }