Deploying a GitHub Private Repo to a Server using SSH Keys
A guide on securing the process of pulling private repositories from GitHub to a VPS. Discussing SSH deploy key configuration, file permissions in Linux, and the reasons why .env files must not be committed.
Why Private Repos Require Specific Authentication
When developing commercial applications, source codes are stored in private repositories. This means GitHub blocks anyone who isn't explicitly invited. Consequently, your VPS server cannot simply 'git clone' or 'git pull' without proving its identity first.
If you utilize the standard HTTPS route, you will constantly be prompted to input a Personal Access Token (PAT) every time you update the code. This method complicates automated deployments. Using the SSH protocol is significantly more modern and secure, as authentication relies on a pair of cryptographic keys without manual human interaction.
Deploy Keys vs Personal Access Tokens (PAT)
When connecting a server to a private repo, you generally choose between Deploy Keys or PATs. Each serves distinct security and operational needs.
| Feature | Deploy Keys | Personal Access Tokens (PAT) |
|---|---|---|
| Scope | Limited to ONE specific repository. | Can be scoped to multiple repos/organizations. |
| Identity | Attached to the repo; not a user account. | Tied directly to your GitHub user account. |
| Security | Highly secure. If leaked, only 1 repo is at risk. | Higher risk. Leaks may expose entire account access. |
| Best For | Production servers, CI/CD deployments. | API access, user-based scripts & automation. |
Steps to Configure an SSH Deploy Key
To implement the best security practice (least privilege), follow these steps to set up a Deploy Key on your VPS:
- Generate SSH Key: Create a pair of ed25519 keys in your server's terminal.
- Add to GitHub: Navigate to the repository settings (Settings > Deploy keys), and paste your public key.
- Permissions (Optional): Check 'Allow write access' ONLY IF the server needs to push commits. For pulling only, leave it unchecked.
- SSH Configuration: If you host multiple repos on one server, configure `~/.ssh/config` to map specific keys to their respective repos.
# Generate a new SSH key specifically for deployment
ssh-keygen -t ed25519 -C "deploy-key-portfolio"
# View the public key to copy it into GitHub
cat ~/.ssh/id_ed25519.pub
# Test the GitHub connection
ssh -T git@github.comRisks and File Permissions in Linux
Since the private key acts as an 'access pass' bypassing password security, it must be guarded strictly. In Linux operating systems, the SSH client outright refuses to operate if it detects that the private key file is readable by other users on the server.
# The private key file must not be accessible by other users/groups
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pubThe `chmod 600` command explicitly ensures that only the file owner possesses read and write permissions for the private key file.
Crucial: Never Commit the .env File
A fatal mistake still frequently made is including the .env (environment variables) file into Git commits. The .env file usually harbors crucial credentials such as database URLs, third-party service API keys, or JWT encryption secrets.
A Git repository is solely tasked with tracking the history of source code modifications, NOT tracking a server's confidential secrets.
Therefore, always ensure `.env` is listed within the `.gitignore` file. When pulling new code to the VPS, the pre-existing `.env` file on the server (which you manually created and configured) will never be overwritten or affected by new commits.
Kesulitan Men-deploy Aplikasi Anda?
Menyewa server Linux sering kali rumit jika tidak terbiasa. Mari diskusikan bantuan setup VPS untuk aplikasi Anda.
Konsultasi Deployment