Setting Up the GitHub Pages Deploy Key #448
Description
The ci-website CI job deploys the built website to the
gerbv/gerbv.github.io repository.
Because this is a cross-repository deployment, GITHUB_TOKEN is not sufficient.
Authentication uses a deploy key (an SSH key pair) instead of a Personal
Access Token, so no individual account credentials are involved and the key's
write access is limited to the target repository only.
One-time setup
1. Generate a key pair
Run this on any machine (the private key never needs to be stored permanently):
ssh-keygen -t ed25519 -C "gerbv ci deploy key" -f deploy_keyThis produces two files:
deploy_key— private key (keep secret, delete after adding to GitHub)deploy_key.pub— public key (safe to share)
2. Add the public key to gerbv/gerbv.github.io
- Go to https://github.com/gerbv/gerbv.github.io → Settings → Deploy keys
- Click Add deploy key
- Title:
gerbv CI deploy key - Key: paste the contents of
deploy_key.pub - Check Allow write access
- Click Add key
3. Add the private key as a secret in gerbv/gerbv
- Go to https://github.com/gerbv/gerbv → Settings → Secrets and variables → Actions
- Click New repository secret
- Name:
PAGES_DEPLOY_KEY - Value: paste the contents of
deploy_key - Click Add secret
4. Delete the local key files
rm deploy_key deploy_key.pubHow it works in CI
The ci-website job in .github/workflows/ci.yaml uses the secret as:
ssh-key: ${{ secrets.PAGES_DEPLOY_KEY }}
git-config-name: gerbv-buildbot
git-config-email: gerbv-buildbot@users.noreply.github.comThe step is skipped (not failed) when the secret is absent, so pull request
builds and forks are unaffected.
Rotating the key
Repeat steps 1–4 above, then remove the old deploy key from
gerbv/gerbv.github.io Settings → Deploy keys.