Git "Host key verification failed" in CI - Fix known_hosts
SSH refused to connect because it cannot verify the remote host’s identity - the host key is not in known_hosts. On a fresh runner with no interactive prompt, SSH fails closed rather than asking you to trust the host.
What this error means
An SSH clone/fetch fails with Host key verification failed and fatal: Could not read from remote repository. It happens on clean runners that have never connected to the host before.
The authenticity of host 'github.com (140.82.x.x)' can't be established.
ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
Host key verification failed.
fatal: Could not read from remote repository.Common causes
The host key is not in known_hosts
A fresh CI runner has an empty ~/.ssh/known_hosts. With no interactive TTY to accept the key, strict host-key checking aborts the connection.
StrictHostKeyChecking is on with no known host
SSH defaults to verifying the host. Without the key pre-seeded, verification fails by design - this is a safety feature, not a bug.
How to fix it
Pre-seed the host key with ssh-keyscan
Add the verified host key to known_hosts before cloning. Pin it to the host you expect.
mkdir -p ~/.ssh
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hostsLet the checkout action manage SSH
Using actions/checkout with an ssh-key input configures known_hosts for GitHub automatically.
- uses: actions/checkout@v4
with:
ssh-key: ${{ secrets.DEPLOY_KEY }}How to prevent it
- Pre-seed known_hosts with
ssh-keyscan(and verify the fingerprint) in CI setup. - Bake the Git host’s key into the runner image where possible.
- Avoid disabling
StrictHostKeyCheckingglobally - it removes MITM protection.