Fingerprint error when accessing private repos through SSH deploy keys

[fcs-ts]

In my company we use this action to build internal tools for the employees to use the binaries. Recently we started to use a private repo as a dependency and access it through deploy SSH keys on CI. This has worked well for lints/test/etc, but this action gives the following error:

Caused by:
  error: SSH host key has changed for `github.com`
  *********************************
  * WARNING: HOST KEY HAS CHANGED *
  *********************************
  This may be caused by a man-in-the-middle attack, or the server may have changed its host key.

  The RSA fingerprint for the key from the remote host is:
  SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s

  You are strongly encouraged to contact the server administrator for `github.com` to verify that this new key is correct.

  If you can verify that the server has a new key, you can resolve this error by removing the old ssh-rsa key for `github.com` located at C:\Users\runneradmin\.ssh\known_hosts line 6, and adding the new key to the `net.ssh.known-hosts` array in your Cargo configuration (such as C:\Users\runneradmin\.cargo\config.toml) or in your OpenSSH known_hosts file at C:\Users\runneradmin\.ssh\known_hosts

  The key provided by the remote host is:

I am not sure how the known_hosts file is populated and I am wondering if this has to do with Github key rotation from last year: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Thanks a lot for your work and thanks in advance for any help on this :)

[taiki-e]

This action itself does not use SSH directly at all, so I suspect this is an issue with the cargo that is called to build your code. Could you check which version of cargo is being used in your workflow? If it is old, I suspect you need to update to a version that includes a patch for this issue (rust-lang/cargo#11883).

[fcs-ts]

We fixed it by adding

        env:
          CARGO_NET_GIT_FETCH_WITH_CLI: true

to the step