How to rotate GitHub Checkout Keys
You can delete and rotate your Deploy and User keys fairly easily using both the CircleCI and GitHub API. Utilizing these API endpoints can be done programmatically to do this automatically.
How to view the keys from the API
To view the User Key
and Deploy Key
. This can be done via the API by the Get All Checkout Keys. endpoint. The v2 endpoint can currently return an MD5
signature. An example response is as follows:
{ "next_page_token" : null, "items" : [ { "type" : "deploy-key", "preferred" : true, "created_at" : "...", "public_key" : "ssh-ed25519 ...", "fingerprint" : "c5:35:95:6d:a7:28:7d:47:67:6a:a0:30:a1:29:74:72" }, { "type" : "github-user-key", "preferred" : false, "created_at" : "...", "public_key" : "ssh-ed25519 ...", "fingerprint" : "50:49:fb:ba:1f:43:eb:8d:a6:91:5c:08:3e:aa:e5:59" } ] }
How to delete the Checkout Keys
To delete these keys, we can utilize the Delete Checkout Key endpoint, which can delete both the User
and Deploy
keys from CircleCI. You can utilize the fingerprint
found in the response above, to delete the key in CircleCI. You can confirm this has been deleted by viewing the example response below:
{
"message" : "Checkout key deleted."
}
Creating a new Checkout Key on CircleCI
Once the checkout key has been deleted, you can then use the Create Checkout Key, to create a new Deploy Key in your project. You can confirm this deploy key has been created via the example response below:
{
"type" : "deploy-key",
"preferred" : true,
"created_at" : "...",
"public_key" : "ssh-ed25519 ...",
"fingerprint" : "..."
}%
Delete the Deploy Key from your GitHub
To delete the key from GitHub, you can utilize the v1.1 API endpoint, List Checkout Keys which will return a SHA256
signature. This can then be matched to the GitHub Deploy Key
found via the GitHub List Deploy Keys endpoint.
With the KEY_ID
found, and SHA256
signatures matching, you can then delete the key via the Delete a Deploy Key API endpoint.
Additional References:
Comments
Article is closed for comments.