When testing a private repository, you may need to fetch private dependencies, like a private git submodule. A common approach to authorize a submodule is to use a private key with access to multiple repositories on GitHub.
Until recently, the only way to set a custom SSH key was to put it in the
However, there were security concerns attached to this approach.
In order to improve that we’re introducing a way to add an SSH key in the UI:
After clicking “Add a custom SSH key” you can add a key which will be then used in your builds:
To make it easier to identify the SSH key in use we also display a fingerprint in the build logs now:
The SSH key added through the UI is securely stored in our DB in an encrypted form. To reduce any possible attack vector, we recommend using a user with as little access as possible to only the repositories used as dependencies.
Other ways to add private dependencies
We hope that you will find the new UI addition useful. If there’s anything else you would like to know about this specific way of dealing with dependencies or find out what are the alternatives, we created a documentation page on the subject: Private dependencies.