Build a snap from a private repository in a GitHub Workflow

The snapcore/action-build GitHub Actions builds the snap within an LXD container, which is therefore unable to access the private SSH key required to access a private repository.

This results in Snapcraft failing to pull the source:

Failed to pull source: command ['git', 'clone', '--recursive', '', '/root/parts/my-part/src']
exited with code 128.
Make sure sources are correctly specified.

This guide is an extension of Build a snap from a private repository to address this specific issue.

Set up the SSH keys for the project

First, make sure to have generated a private key (without passphrase) and registered the public key on your GitHub account. See Adding a new ssh key for GitHub’s own instructions.

You now need to add your SSH key as a secret to the repository you wish to run the CI on. See Creating secrets for a repository for details.

Make sure to set the name to PRIVATE_RSA_KEY and the value to the content of the private key (by default, the content of ~/.ssh/id_rsa).

The private key is now stored as a secret in the repository and will be available as a variable to our GitHub workflow.

Use the key in a GitHub Workflow

A workflow using snapcore/action-build will look like:

- uses: actions/checkout@v3
- uses: snapcore/action-build@v1

Snapcraft has the flag --bind-ssh that will import the complete ~/.ssh directory, which means we need to write the private key secret to ~/.ssh/id_rsa so it can be imported by Snapcraft.

We also need to create the ~/.ssh/known_hosts file because the CI cannot prompt you to validate the remote repository host. In this case, the host is

The workflow should be modified as follows:

  - uses: actions/checkout@v3
+ - name: Create ~/.ssh
+   run: |
+     mkdir ~/.ssh
+     echo "${{ secrets.PRIVATE_RSA_KEY }}" > ~/.ssh/id_rsa
+     chmod 600 ~/.ssh/id_rsa
+     ssh-keyscan -H >> ~/.ssh/known_hosts
  - uses: snapcore/action-build@v1
+   with:
+     snapcraft-args: --bind-ssh

The Snapcraft command called by the snapcore/action-build will then properly import and use the private key.

A complete example can be found on GitHub.