Launch a Debugging Terminal into GitHub Actions

Summary

Spoiler: I made a free and open-source way to get an interactive web terminal to your GitHub Action when it fails. Try it out here: https://actions-term.gripdev.xyz/ (code 🔗) Your browser does not support the video element. Building it I think we’ve all been there, your build fails in Actions, but the script works fine locally. You now settle into a slow loop of: Push speculative change See if it worked It was in the middle of one of these when I started thinking about how to make it better. A Terminal would be great, that’s obvious, but how to make it happen? How could I make it free, and open to anyone, without costing me lots of money? Operating a service that forward traffic between a user and the Actions VM would stack up data transfer costs and take some work to scale. What about a Peer-to-Peer connection? I’d recently been going deeper on how Tailscale, iroh and WebRTC use UDP Hole Punching to create Peer-to-Peer (P2P) connections between nodes without relaying traffic. If that worked then my server would only need to exchange a tiny bit of information per session and hopefully cost me very little 🤞 Could I use P2P and funnel a terminal session over it? Well the Actions VM is on the internet and allows UDP outbound, so it should work! A simple bit of scripting proved it did 🥳 With WebRTC, if the Actions VM and my local machine exchange information about their connectivity (ICE Candidates), then I could form a connection. Security and Identities The next problem is, how do you prove each end of the P2P connection is who they say they are? It’s important. I want to ensure that lawrencegripper can only access terminals for Actions triggered by lawrencegripper. The browser side is relatively easy, we can use OAuth to login via GitHub and get a verified username ✅ On the Actions VM we have OIDC, commonly used to auth from Actions to cloud providers. Anyone can use it though, it gives us the ability to issue a signed OIDC token from within our Action which proves: ...