GitHub Actions / GitHub Actions

GitHub Actions permission denied publickey

Fix GitHub Actions SSH permission denied errors when a workflow clones, deploys, or pushes with a key.

General troubleshooting guidance Last updated May 10, 2026 0 sources Needs local verification

Category: GitHub Actions
Error signature: Permission denied (publickey)
Quick fix: Store the private key in a secret, add the matching public key to the target repo, and configure known_hosts before SSH commands.
Updated: May 10, 2026
Verification status: General troubleshooting guidance
Evidence: 0 public source URLs

Before you change production

This page does not expose source URLs in the page body. Treat it as general troubleshooting guidance and verify against official documentation before changing systems.

Reproduce the smallest failing action and save non-secret logs before changing configuration.
Check versions for GitHub Actions, related SDKs, package managers, CI runners, and hosting providers.
Change one setting or dependency at a time, then rerun the same failing command or request.
Avoid destructive commands, credential rotation, billing changes, or security relaxations without a rollback plan.

What this error means

Permission denied (publickey) means the build or deployment failed in a clean automation environment. The cause is usually runtime version, lockfile state, secrets, project root, or deploy permissions.

Common causes

Deploy key is not added to the target repository
Private key secret is missing or malformed
Known hosts entry is missing
Workflow uses the wrong remote URL

Copy-paste commands

Check local Node version

node --version
npm --version

Reproduce a clean install

rm -rf node_modules
npm ci

Run the production build locally

npm run build

Check GitHub SSH from a runner-like shell

ssh -T git@github.com

Quick fixes

Open the failed log and find the first error line above the stack trace.
Store the private key in a secret, add the matching public key to the target repo, and configure known_hosts before SSH commands.
Check Node version, working directory, lockfile state, and required secrets.
Rerun the job only after committing the config or lockfile change.

Step-by-step troubleshooting

Find the first log line containing Permission denied (publickey).
Check the job Node version and package manager command.
Verify secrets are available for the event type; forked PRs often have restricted secrets.
Compare the workflow working directory with the folder containing package.json.
Run the same install and build commands locally from a clean checkout.

Platform-specific fixes

GitHub Actions

Use actions/setup-node for the intended Node version and keep package-lock.json committed for npm ci.

Vercel

Check the configured project root, build command, output directory, and environment variables in the Vercel project settings.

Real-world fixes

If the lockfile error appears only in CI, regenerate and commit the lockfile instead of switching to npm install in CI.
If deploy keys fail, confirm the public key is attached to the target repository and the private key secret keeps newlines intact.
Store the private key in a secret, add the matching public key to the target repo, and configure known_hosts before SSH commands.

How to prevent it

Keep workflow runtime versions explicit.
Commit lockfiles and generated config needed at build time.
Add a small CI job that runs the same build command before deploy.

Diagnostic flow for this page

Match Permission denied (publickey) exactly before applying the quick fix.
Compare the failing environment with GitHub Actions versions, account scope, provider settings, and deployment context.
Check the listed common causes in order, starting with the cause that best matches your logs.
Use the evidence status below to decide whether to confirm against public sources or official documentation.
Apply one reversible change, rerun the smallest failing action, and keep rollback notes.

FAQ

What does Permission denied (publickey) mean in GitHub Actions?

Permission denied (publickey) indicates the workflow described by "GitHub Actions permission denied publickey" failed in a GitHub Actions context. Start by confirming the exact signature and the component that emitted it.

What should I check first for Permission denied (publickey)?

Check whether this cause matches your environment: Deploy key is not added to the target repository

Is the Permission denied (publickey) guidance source-backed?

The "GitHub Actions permission denied publickey" page is labeled general troubleshooting guidance. It has no public source URLs in the current Markdown record, so use that evidence status when deciding how much additional verification you need.

When should I avoid the quick fix for Permission denied (publickey)?

For "GitHub Actions permission denied publickey", avoid applying "Store the private key in a secret, add the matching public key to the target repo, and configure known_hosts before SSH commands." when the error text differs, the affected version or provider is different, or the change would touch credentials, billing, DNS, production deploy settings, or irreversible data.

What should I collect before debugging Permission denied (publickey)?

For "GitHub Actions permission denied publickey", collect the failing GitHub Actions command or request, non-secret configuration, versions, timestamps, request IDs when available, and the smallest reproduction that still triggers the signature.