This is mostly relevant for private repos, which require a dedicated SSH key for cloning.

When a Sourcehut build uses multiple SSH key secrets, SSH tries them in order. Put the key needed for cloning first, and pass -i ~/.ssh/<UUID> to specify the right key for other SSH operations like rsync.

Also make sure to use the SSH clone URL.

Here's an example.

 1image: alpine/edge
 2packages:
 3  - openssh
 4  - rsync
 5  - zola
 6secrets:
 7  - ec118555-3160-4f91-90ed-99af094cb93f
 8  - 613df8e9-5ed2-4c2c-82aa-4b056feef5ff
 9environment:
10  deploy_user: greg
11  deploy_host: gregtroszak.me
12  deploy_path: /var/www/notes.gregtroszak.me
13sources:
14  - git@git.sr.ht:~gtroszak/notes
15tasks:
16  - build: |
17      cd notes
18      zola build
19  - deploy: |
20      ssh-keyscan $deploy_host >> ~/.ssh/known_hosts
21      rsync -avz --delete \
22        -e "ssh -i ~/.ssh/613df8e9-5ed2-4c2c-82aa-4b056feef5ff" \
23        notes/site/ \
24        $deploy_user@$deploy_host:$deploy_path/

Resources

• Private repos on builds.sr.ht
• Secrets dashboard