Create GitHub Deploy Key

Property	Type	Description
token	string	The token to use for authorization to GitHub
repoUrl	string	Accepts the format `github.com?repo=reponame&owner=owner` where `reponame` is the new repository name and `owner` is an organization or username
publicKey	string	Generated from `ssh-keygen`. Begins with `ssh-rsa`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, or `sk-ssh-ed25519@openssh.com`.
privateKey	string	SSH Private Key generated from `ssh-keygen`
deployKeyName	string	-
privateKeySecretName	string	Name of the GitHub Secret to store the private key related to the Deploy Key. Defaults to: `KEY_NAME_PRIVATE_KEY` where `KEY_NAME` is the name of the Deploy Key

Property	Type	Description	Required
privateKeySecretName	string	The GitHub Action Repo Secret Name for the Private Key

Create a deploy key for a newly published service repository

Creates a deploy key after publishing a new repository. Use this when you need CI to clone the repo via SSH using a key pair provided by the template parameters and store the private key as a repo secret with the default name.

Copy

steps:
  - id: fetch-base
    action: fetch:template
    input:
      url: ./skeleton
      values:
        name: ${{ parameters.repoName }}
        owner: ${{ parameters.owner }}

  - id: publish-repo
    action: publish:github
    input:
      repoUrl: github.com?repo=${{ parameters.repoName }}&owner=${{ parameters.owner }}

  - id: create-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.repoName }}&owner=${{ parameters.owner }}
      deployKeyName: cicd-deploy-key
      publicKey: ${{ parameters.sshPublicKey }}
      privateKey: ${{ parameters.sshPrivateKey }}

This example references fetch:template and publish:github.

Create a deploy key with a custom secret name using a PAT

Creates a deploy key for an existing repository and stores the private key under a specific secret name. Use this when you want a predictable secret key name and must authorize with a personal access token.

Copy

steps:
  - id: create-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.existingRepo }}&owner=${{ parameters.owner }}
      deployKeyName: external-ci-key
      privateKeySecretName: EXTERNAL_CI_SSH_PRIVATE_KEY
      publicKey: ${{ parameters.sshPublicKey }}
      privateKey: ${{ parameters.sshPrivateKey }}
      token: ${{ parameters.githubToken }}

Inline ed25519 keypair for a private repo

Creates a deploy key using an inline ed25519 keypair. Use this when the template itself generates keys and you want to embed them directly in the step.

Copy

steps:
  - id: create-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.repoName }}&owner=${{ parameters.owner }}
      deployKeyName: deployment-bot
      publicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2a3Uo6l1P4H8l8XyY0g2wqKkzv0o8s9f1G4m2b7cQ9 ci@runner
      privateKey: |
        -----BEGIN OPENSSH PRIVATE KEY-----
        b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtZW
        QyNTUxOQAAACD1f3KqgYJq3m6J9WQk8x3n9rCzqP8iJXo1qZ0XQ2ho4W5oO2t4y8G0u0iG
        B6mAAAACmRlbW9AdXNlcgECAwQFBg==
        -----END OPENSSH PRIVATE KEY-----

Provision deploy keys for two repositories in one workflow

Creates deploy keys for both an application repo and an infrastructure repo. Use this when a service and its infra repo both need SSH access from CI.

Copy

steps:
  - id: fetch
    action: fetch:template
    input:
      url: ./skeleton
      values:
        appRepo: ${{ parameters.appRepo }}
        infraRepo: ${{ parameters.infraRepo }}
        owner: ${{ parameters.owner }}

  - id: create-app-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.appRepo }}&owner=${{ parameters.owner }}
      deployKeyName: app-ci-key
      publicKey: ${{ parameters.appPublicKey }}
      privateKey: ${{ parameters.appPrivateKey }}

  - id: create-infra-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.infraRepo }}&owner=${{ parameters.owner }}
      deployKeyName: infra-ci-key
      privateKeySecretName: INFRA_CI_PRIVATE_KEY
      publicKey: ${{ parameters.infraPublicKey }}
      privateKey: ${{ parameters.infraPrivateKey }}

This example references fetch:template.

Add a deploy key for a user-owned repository without publishing

Creates a deploy key for an existing user repo. Use this in templates that configure access for an already-created repository without creating or publishing code in the same run.

Copy

steps:
  - id: create-deploy-key
    action: github:deployKey:create
    input:
      repoUrl: github.com?repo=${{ parameters.repoName }}&owner=${{ parameters.username }}
      deployKeyName: read-only-ci
      publicKey: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABBBJtuW3qf7H4mRk2f1bQ6m0zX7w0yqGJm0p0l1cR1S1oYpH2Vb8X2Zc9Q4QeK3v9uT+gF8sncJQ== user@laptop
      privateKey: |
        -----BEGIN OPENSSH PRIVATE KEY-----
        b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAIHBMYe5h3Z0v4F
        2N3Zk2p9r9b1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p
        -----END OPENSSH PRIVATE KEY-----

Input Schema

Output Schema

Usage Examples

Create a deploy key for a newly published service repository

Create a deploy key with a custom secret name using a PAT

Inline ed25519 keypair for a private repo

Provision deploy keys for two repositories in one workflow

Add a deploy key for a user-owned repository without publishing

Other actions in @backstage/plugin-scaffolder-backend-module-github

Publish To GitHub

Create GitHub Repository

Enable GitHub Pages

Add GitHub Labels

Create GitHub Deployment Environment

Publish to GitHub

Configure Branch Protection

Create GitHub Issue

Dispatch GitHub Actions Workflow

Create Repository Autolink

Create GitHub Pull Request

Create GitHub Webhook