Skip to content
Latchkey

Git "Host key verification failed" in CI - Fix known_hosts

SSH refused to connect because it cannot verify the remote host’s identity - the host key is not in known_hosts. On a fresh runner with no interactive prompt, SSH fails closed rather than asking you to trust the host.

What this error means

An SSH clone/fetch fails with Host key verification failed and fatal: Could not read from remote repository. It happens on clean runners that have never connected to the host before.

git clone output
The authenticity of host 'github.com (140.82.x.x)' can't be established.
ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
Host key verification failed.
fatal: Could not read from remote repository.

Common causes

The host key is not in known_hosts

A fresh CI runner has an empty ~/.ssh/known_hosts. With no interactive TTY to accept the key, strict host-key checking aborts the connection.

StrictHostKeyChecking is on with no known host

SSH defaults to verifying the host. Without the key pre-seeded, verification fails by design - this is a safety feature, not a bug.

How to fix it

Pre-seed the host key with ssh-keyscan

Add the verified host key to known_hosts before cloning. Pin it to the host you expect.

Terminal
mkdir -p ~/.ssh
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts

Let the checkout action manage SSH

Using actions/checkout with an ssh-key input configures known_hosts for GitHub automatically.

.github/workflows/ci.yml
- uses: actions/checkout@v4
  with:
    ssh-key: ${{ secrets.DEPLOY_KEY }}

How to prevent it

  • Pre-seed known_hosts with ssh-keyscan (and verify the fingerprint) in CI setup.
  • Bake the Git host’s key into the runner image where possible.
  • Avoid disabling StrictHostKeyChecking globally - it removes MITM protection.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →