Add SSH support to reusable workflows

.github/workflows/docker-build-publish.yml

@@ -31,6 +31,10 @@ on:
         required: true
       ci_token:
         required: true
+      ssh_private_key:
+        required: false
+      ssh_known_hosts:
+        required: false
 
 jobs:
   build:
@@ -40,6 +44,19 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Start ssh-agent
+        if: ${{ secrets.ssh_private_key != '' }}
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
+      - name: Add SSH known hosts
+        if: ${{ secrets.ssh_known_hosts != '' }}
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.ssh_known_hosts }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -64,6 +81,11 @@ jobs:
         run: |
           set -euo pipefail
 
+          SSH_FLAGS=""
+          if [ -n "${SSH_AUTH_SOCK:-}" ]; then
+            SSH_FLAGS="--ssh default"
+          fi
+
           echo "$IMAGES" | jq -c '.[]' | while read -r img; do
             IMAGE_NAME=$(echo "$img" | jq -r '.name')
             FULL_IMAGE="${{ inputs.registry_host }}/${IMAGE_NAME}"
@@ -97,6 +119,7 @@ jobs:
               --target "$TARGET" \
               --cache-from "type=registry,ref=$CACHE_REF" \
               --cache-to "type=registry,ref=$CACHE_REF,mode=max" \
+              $SSH_FLAGS \
               --load \
               $TAG_ARGS \
               $BUILD_ARG_FLAGS \

.github/workflows/node-ci.yml

@@ -27,6 +27,11 @@ on:
       test_command:
         type: string
         default: "pnpm test"
+    secrets:
+      ssh_private_key:
+        required: false
+      ssh_known_hosts:
+        required: false
 
 jobs:
   quality:
@@ -37,6 +42,19 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v4
 
+      - name: Start ssh-agent
+        if: ${{ secrets.ssh_private_key != '' }}
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
+      - name: Add SSH known hosts
+        if: ${{ secrets.ssh_known_hosts != '' }}
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.ssh_known_hosts }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+
       - name: Set up Node
         uses: actions/setup-node@v4
         with:

.github/workflows/python-uv-ci.yml

@@ -30,6 +30,11 @@ on:
       test_command:
         type: string
         default: "uv run pytest"
+    secrets:
+      ssh_private_key:
+        required: false
+      ssh_known_hosts:
+        required: false
 
 jobs:
   quality:
@@ -43,6 +48,19 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Start ssh-agent
+        if: ${{ secrets.ssh_private_key != '' }}
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
+      - name: Add SSH known hosts
+        if: ${{ secrets.ssh_known_hosts != '' }}
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.ssh_known_hosts }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with: