Setting Up the GitHub Pages Deploy Key

[spe-ciellt]

The ci-website CI job deploys the built website to the
gerbv/gerbv.github.io repository.
Because this is a cross-repository deployment, GITHUB_TOKEN is not sufficient.
Authentication uses a deploy key (an SSH key pair) instead of a Personal
Access Token, so no individual account credentials are involved and the key's
write access is limited to the target repository only.

One-time setup

1. Generate a key pair

Run this on any machine (the private key never needs to be stored permanently):

ssh-keygen -t ed25519 -C "gerbv ci deploy key" -f deploy_key

This produces two files:

• deploy_key — private key (keep secret, delete after adding to GitHub)
• deploy_key.pub — public key (safe to share)

2. Add the public key to gerbv/gerbv.github.io

1. Go to https://github.com/gerbv/gerbv.github.io → Settings → Deploy keys
2. Click Add deploy key
3. Title: gerbv CI deploy key
4. Key: paste the contents of deploy_key.pub
5. Check Allow write access
6. Click Add key

3. Add the private key as a secret in gerbv/gerbv

1. Go to https://github.com/gerbv/gerbv → Settings → Secrets and variables → Actions
2. Click New repository secret
3. Name: PAGES_DEPLOY_KEY
4. Value: paste the contents of deploy_key
5. Click Add secret

4. Delete the local key files

rm deploy_key deploy_key.pub

How it works in CI

The ci-website job in .github/workflows/ci.yaml uses the secret as:

ssh-key: ${{ secrets.PAGES_DEPLOY_KEY }}
git-config-name: gerbv-buildbot
git-config-email: gerbv-buildbot@users.noreply.github.com

The step is skipped (not failed) when the secret is absent, so pull request
builds and forks are unaffected.

Rotating the key

Repeat steps 1–4 above, then remove the old deploy key from
gerbv/gerbv.github.io Settings → Deploy keys.