feat: add docker-ssh option to expose SSH credentials to container

Add a new `docker-ssh` input option that allows exposing SSH agent sockets
or keys to the Renovate Docker container via the `--ssh` flag. This enables
Renovate to access private repositories or registries that require SSH
authentication during the build process.

The implementation follows the same pattern as other docker-* options and
includes full documentation with usage examples.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

README.md

@@ -14,6 +14,7 @@ GitHub Action to run Renovate self-hosted.
   - [`docker-cmd-file`](#docker-cmd-file)
   - [`docker-network`](#docker-network)
   - [`docker-socket-host-path`](#docker-socket-host-path)
+  - [`docker-ssh`](#docker-ssh)
   - [`docker-user`](#docker-user)
   - [`docker-volumes`](#docker-volumes)
   - [`env-regex`](#env-regex)
@@ -120,6 +121,29 @@ Allows the overriding of the host path for the Docker socket that is mounted int
 Useful on systems where the host Docker socket is located somewhere other than `/var/run/docker.sock` (the default).
 Only applicable when `mount-docker-socket` is true.
 
+### `docker-ssh`
+
+List of SSH agent socket or keys to expose to the build. This is passed to the Docker container via the `--ssh` flag.
+
+This is useful when Renovate needs to access private repositories or registries via SSH during the build process.
+
+Example usage:
+
+```yml
+....
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v43.0.17
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          docker-ssh: default=${{ env.SSH_AUTH_SOCK }}
+```
+
 ### `docker-user`
 
 Specify a user (or user-id) to run docker command.

action.yml

@@ -61,6 +61,11 @@ inputs:
       Docker volume mounts. Default to /tmp:/tmp
     default: /tmp:/tmp
     required: false
+  docker-ssh:
+    description: |
+      List of SSH agent socket or keys to expose to the build.
+      This maps to the --ssh flag in docker buildx build.
+    required: false
 
 runs:
   using: node20

src/input.ts

@@ -96,6 +96,10 @@ export class Input {
     return getInput('docker-network');
   }
 
+  getDockerSsh(): string | null {
+    return getInput('docker-ssh') || null;
+  }
+
   /**
    * Convert to environment variables.
    *

src/renovate.ts

@@ -70,6 +70,11 @@ export class Renovate {
       dockerArguments.push(`--network ${dockerNetwork}`);
     }
 
+    const dockerSsh = this.input.getDockerSsh();
+    if (dockerSsh) {
+      dockerArguments.push(`--ssh ${dockerSsh}`);
+    }
+
     dockerArguments.push('--rm', this.docker.image());
 
     if (dockerCmd !== null) {