๐ SCP for GitHub Actions
April 27, 2025 ยท View on GitHub
GitHub Action for copying files and artifacts via SSH.
Note: Only supports Linux docker containers.
โจ Features
- โ Copy files and artifacts to one or multiple remote servers via SSH
- โ Supports both SSH key and password authentication
- โ Full SSH Proxy (jump host) support
- โ Handles Linux โ Windows path conversion
- โ Integrates with GitHub Artifacts workflow
- โ Incremental and differential file transfer
- โ Rich configuration options for advanced use cases
๐ฆ Table of Contents
- ๐ SCP for GitHub Actions
๐ Quick Start
Copy files and artifacts via SSH in your GitHub Actions workflow:
name: scp files
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Copy files via SSH
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
password: ${{ secrets.PASSWORD }}
port: ${{ secrets.PORT }}
source: "tests/a.txt,tests/b.txt"
target: your_server_target_folder_path
โ๏ธ Configuration
๐ Connection Settings
| Variable | Description | Default | Required |
|---|---|---|---|
| host | Remote host(s), comma-separated for multiple | - | โ |
| port | SSH port | 22 | |
| username | SSH username | - | โ |
| password | SSH password (prefer SSH key for security) | - | |
| key | SSH private key content | - | |
| key_path | Path to SSH private key file | - | |
| passphrase | Passphrase for SSH private key | - | |
| fingerprint | SHA256 fingerprint for host key verification | - | |
| protocol | IP protocol: 'tcp', 'tcp4', or 'tcp6' | tcp | |
| timeout | SSH connection timeout | 30s | |
| command_timeout | SCP command timeout | 10m |
๐ File Transfer Settings
| Variable | Description | Default | Security Note |
|---|---|---|---|
| source | Local files/directories to transfer (comma-separated) | - | Use explicit paths |
| target | Target directory on remote server (must be a directory) | - | Avoid root directories |
| rm | Remove target directory before upload | - | Use with caution |
| strip_components | Remove leading path elements when extracting | - | |
| overwrite | Overwrite existing files with tar | - | |
| tar_dereference | Follow symlinks with tar | - | |
| tar_tmp_path | Temp path for tar file on destination | - | |
| tar_exec | Path to tar executable on destination | tar | |
| debug | Enable debug output | - | |
| curl_insecure | Use --insecure with curl | false | Not recommended |
| capture_stdout | Capture command stdout as action output | false | |
| version | Version of drone-scp to use | - |
๐ Proxy Settings
| Variable | Description | Default | Required |
|---|---|---|---|
| proxy_host | SSH proxy host | - | |
| proxy_port | SSH proxy port | 22 | |
| proxy_username | SSH proxy username | - | |
| proxy_password | SSH proxy password | - | |
| proxy_key | SSH proxy private key content | - | |
| proxy_key_path | Path to SSH proxy private key file | - | |
| proxy_passphrase | Passphrase for SSH proxy private key | - | |
| proxy_fingerprint | SHA256 fingerprint for proxy host | - | |
| proxy_use_insecure_cipher | Enable less secure ciphers for proxy | - | |
| proxy_timeout | SSH proxy connection timeout | 30s |
๐ก๏ธ Best Practices & Security
- Prefer SSH key authentication over passwords for better security.
- Store all sensitive values (host, username, password, key) in GitHub Secrets.
- Regularly rotate deployment keys (suggested every 90 days).
- Restrict write permissions on the target server directory.
- Enable host key fingerprint verification to prevent MITM attacks.
- Avoid using root as the SSH user.
๐ฅ๏ธ Cross-Platform Notes
| Scenario | Linux Server | Windows Server |
|---|---|---|
| Path Format | /path/to/dir | /c/path/to/dir |
| Required Setting | None | tar_dereference: true |
| Permissions | Preserved | May require manual ACL |
| Shell | bash (default) | Git Bash via OpenSSH |
๐ฉ Important:
When copying to Windows servers:
- Install Git for Windows and set OpenSSH default shell to Git Bash
- Use Unix-style target paths (e.g.,
/c/Users/...)- Enable
tar_dereferencefor symlink handling
๐ก Usage Examples
๐งฉ Scenario Guide
- Basic file transfer โ Example 1
- Multi-server deployment โ Example 2
- Incremental/changed files only โ Example 3
- Artifacts integration โ Example 4
- Windows server setup โ Example 5
Example 1: Basic SSH Password
- name: Copy file via SSH password
uses: appleboy/scp-action@v1
with:
host: example.com
username: foo
password: bar
port: 22
source: "tests/a.txt,tests/b.txt"
target: your_server_target_folder_path
Example 2: Multi-server
- name: Copy to multiple servers
uses: appleboy/scp-action@v1
with:
host: "foo.com,bar.com"
username: foo
password: bar
port: 22
source: "tests/a.txt,tests/b.txt"
target: your_server_target_folder_path
Example 3: Changed Files Only
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v35
with:
since_last_remote_commit: true
separator: ","
- name: Copy changed files to server
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
source: ${{ steps.changed-files.outputs.all_changed_files }}
target: your_server_target_folder_path
Example 4: Artifacts Integration
- uses: actions/upload-artifact@v4
with:
name: my-artifact
path: world.txt
- uses: actions/download-artifact@v4
with:
name: my-artifact
path: distfiles
- name: Copy artifact to server
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
source: distfiles/*
target: your_server_target_folder_path
Example 5: Windows Server
- name: Copy to Windows
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: 22
source: "your_source_path"
target: "/c/path/to/target/"
tar_dereference: true
rm: true
๐๏ธ SSH Key Setup
-
Generate SSH Key (on your local machine):
# RSA ssh-keygen -t rsa -b 4096 -C "your_email@example.com" # ED25519 ssh-keygen -t ed25519 -a 200 -C "your_email@example.com" -
Add Public Key to Server:
cat .ssh/id_rsa.pub | ssh user@host 'cat >> .ssh/authorized_keys' # or for ed25519 cat .ssh/id_ed25519.pub | ssh user@host 'cat >> .ssh/authorized_keys' -
Copy Private Key Content to GitHub Secrets:
clip < ~/.ssh/id_rsa # or clip < ~/.ssh/id_ed25519
See SSH login without password for more details.
OpenSSH Note:
If you see ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], ensure your key algorithm is supported.
On Ubuntu 20.04+, add to /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/:
CASignatureAlgorithms +ssh-rsa
Or use ed25519 keys, which are accepted by default.
๐งฐ Common Error Codes
| Error Code | Possible Cause | Solution |
|---|---|---|
ECONNREFUSED | Wrong port / firewall blocks | Check port and firewall settings |
ENOENT | Source file not found | Use absolute path or check checkout step |
EAUTH | Authentication failed | Check key format and permissions (PEM format) |
๐ Workflow Diagram
sequenceDiagram
participant G as GitHub Runner
participant S as Target Server
G->>S: Establish SSH connection
S-->>G: Authenticate credentials
G->>S: (Optional) Remove target directory
G->>G: Archive source files
G->>S: Transfer archive
S->>S: Extract and process files
S-->>G: Return result
FAQ & Troubleshooting
-
Q: Why does authentication fail?
A: Check SSH key format, permissions, and that the key is added to the server. -
Q: How do I copy only changed files?
A: Usetj-actions/changed-filesto get changed files and pass tosource. -
Q: How to deploy to multiple servers?
A: Use comma-separated host list:host: "foo.com,bar.com" -
Q: How to copy to Windows?
A: Set up Git Bash, use Unix-style paths, and enabletar_dereference.
๐ License
MIT License