From 49e993f921b09552b1b2b9a7f43fe47cdece3c4b Mon Sep 17 00:00:00 2001
From: Stefano Polloni <27390119+spolloni@users.noreply.github.com>
Date: Tue, 21 Oct 2025 11:23:12 -0400
Subject: [PATCH] feat: add docker-ssh option to expose SSH credentials to
 container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a new `docker-ssh` input option that allows exposing SSH agent sockets
or keys to the Renovate Docker container via the `--ssh` flag. This enables
Renovate to access private repositories or registries that require SSH
authentication during the build process.

The implementation follows the same pattern as other docker-* options and
includes full documentation with usage examples.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md       | 24 ++++++++++++++++++++++++
 action.yml      |  5 +++++
 src/input.ts    |  4 ++++
 src/renovate.ts |  5 +++++
 4 files changed, 38 insertions(+)

diff --git a/README.md b/README.md
index eccee20c..387efd60 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ GitHub Action to run Renovate self-hosted.
   - [`docker-cmd-file`](#docker-cmd-file)
   - [`docker-network`](#docker-network)
   - [`docker-socket-host-path`](#docker-socket-host-path)
+  - [`docker-ssh`](#docker-ssh)
   - [`docker-user`](#docker-user)
   - [`docker-volumes`](#docker-volumes)
   - [`env-regex`](#env-regex)
@@ -120,6 +121,29 @@ Allows the overriding of the host path for the Docker socket that is mounted int
 Useful on systems where the host Docker socket is located somewhere other than `/var/run/docker.sock` (the default).
 Only applicable when `mount-docker-socket` is true.
 
+### `docker-ssh`
+
+List of SSH agent socket or keys to expose to the build. This is passed to the Docker container via the `--ssh` flag.
+
+This is useful when Renovate needs to access private repositories or registries via SSH during the build process.
+
+Example usage:
+
+```yml
+....
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v43.0.17
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          docker-ssh: default=${{ env.SSH_AUTH_SOCK }}
+```
+
 ### `docker-user`
 
 Specify a user (or user-id) to run docker command.
diff --git a/action.yml b/action.yml
index 00c9ec99..af7fc3d1 100644
--- a/action.yml
+++ b/action.yml
@@ -61,6 +61,11 @@ inputs:
       Docker volume mounts. Default to /tmp:/tmp
     default: /tmp:/tmp
     required: false
+  docker-ssh:
+    description: |
+      List of SSH agent socket or keys to expose to the build.
+      This maps to the --ssh flag in docker buildx build.
+    required: false
 
 runs:
   using: node20
diff --git a/src/input.ts b/src/input.ts
index 5d23443f..3b35abf8 100644
--- a/src/input.ts
+++ b/src/input.ts
@@ -96,6 +96,10 @@ export class Input {
     return getInput('docker-network');
   }
 
+  getDockerSsh(): string | null {
+    return getInput('docker-ssh') || null;
+  }
+
   /**
    * Convert to environment variables.
    *
diff --git a/src/renovate.ts b/src/renovate.ts
index 39ba75c5..db8fe920 100644
--- a/src/renovate.ts
+++ b/src/renovate.ts
@@ -70,6 +70,11 @@ export class Renovate {
       dockerArguments.push(`--network ${dockerNetwork}`);
     }
 
+    const dockerSsh = this.input.getDockerSsh();
+    if (dockerSsh) {
+      dockerArguments.push(`--ssh ${dockerSsh}`);
+    }
+
     dockerArguments.push('--rm', this.docker.image());
 
     if (dockerCmd !== null) {