Skip to content
Latchkey

Git "Permission denied (publickey)" in CI

The SSH handshake offered no key the remote accepts, so authentication failed before any repository access. In CI this usually means no key was loaded or the deploy key is not registered.

What this error means

A clone or push over SSH fails with git@github.com: Permission denied (publickey) and fatal: Could not read from remote repository. It fails identically on every retry.

git
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Common causes

No SSH key available to the agent

The runner has no private key loaded, or the ssh-agent was never started, so nothing is offered to the server.

Key not registered with the repo or org

A deploy key or user key exists but was never added to the target repository or account.

Wrong key permissions or format

A key file with loose permissions, or an unsupported format, is silently ignored.

How to fix it

Load the key into the agent

  1. Start ssh-agent and add the private key in the job.
  2. On Actions, prefer a maintained SSH-key action or pass ssh-key to actions/checkout.
.github/workflows/ci.yml
eval "$(ssh-agent -s)"
echo "${{ secrets.SSH_PRIVATE_KEY }}" | ssh-add -

Verify the key is authorized

  1. Add the public key as a deploy key on the repo (allow write if pushing).
  2. Test the connection non-interactively.
Terminal
ssh -o StrictHostKeyChecking=accept-new -T git@github.com

How to prevent it

  • Store the private key as a secret, load it via ssh-agent or actions/checkout ssh-key, and register the matching deploy key on every repo the job touches. A retry cannot fix a missing or unauthorized key.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →