Skip to content
/ cloudflared-ssh-action Public

A github action that lets you ssh into a server behind a cloudflare tunnel

License

Apache-2.0 license
17 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

and-fm/cloudflared-ssh-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

132 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

Cloudflared SSH Remote Command Runner

A GitHub Action that runs a Docker container, which lets you SSH into a server behind a Cloudflare Tunnel and run a command

Inputs

The following inputs can be used as step.with keys:

Name Type Default Required Description
host String true Tunnel address of the server you are connecting to
port int 22 true SSH port
username String true SSH username
private_key_filename String true Name of the private key file (used only in the action runner execution)
private_key_value String true The actual SSH private key to authenticate to your server
commands List true The list of commands you want to execute on the remote server
service_token_id String false The Cloudflare Zero Trust Service Token ID (optional)
service_token_secret String false The Cloudflare Zero Trust Service Token Secret (optional)

For more info on service tokens, check this documentation: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/

Workflows

Branch protection rules require a PR before code can be merged into main. There are two PR workflows:

  • Dependency review will check upstream base Apline Linux image or Github Actions for updates. If there are High or Critical vulnerabilities found in feature branch, the workflow will fail.
  • Trivy scanner will check the built Docker image for vulnerabilities. If there's a High or Critical CVEs found in the image, the workflow will fail.

A successful merge into main will update the latest release and update the latest tagged container image uploaded to GitHub Packages.

Contributions

Any help keeping this repo healthy and secure would be appreciated!
Remaining in the to-do is automating semantic version releases in case users need to rollback to older, stable versions.

Usage

Here is an example deploy.yaml file for the action:

name: Run command on remote server
on:
  pull_request:
    types:
      - closed
jobs:
  ssh_command:
    if: github.event.pull_request.merged == true
    name: Run SSH command
    needs: terraform_apply
    runs-on: ubuntu-latest
    steps:
      - name: Connect and run command on remote server
        uses: and-fm/cloudflared-ssh-action@v3
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          private_key_filename: ${{ secrets.SSH_PRIVATE_KEY_FILENAME }}
          private_key_value: ${{ secrets.SSH_PRIVATE_KEY_VALUE }}
          port: ${{ secrets.SSH_PORT }}
          service_token_id: ${{ secrets.SERVICE_TOKEN_ID }}
          service_token_secret: ${{ secrets.SERVICE_TOKEN_SECRET }}
          commands: mkdir hello-world -v

Big Thanks To:

Nathan J Norris for improving the maintanability and security of the project

About

A github action that lets you ssh into a server behind a cloudflare tunnel

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

17 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases 4

v3.1.2 Latest
May 7, 2024
+ 3 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages