Skip to main content

On This Page
← AI News
AI News DevOps Security

The Right Way to Deploy Private GitHub Repos to Your VPS

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

The Right Way to Deploy Private GitHub Repos to Your VPS

Deploying code from a private repository to a VPS is a common task, but many tutorials rely on overly permissive methods like personal SSH keys or Personal Access Tokens. These methods grant more access than necessary, creating a security risk. This guide details how to set up repository-specific SSH deploy keys for secure and scoped access.

Deploy keys provide a more secure alternative by granting read-only access to a specific repository, adhering to the principle of least privilege. This minimizes the potential damage from a compromised key, unlike personal credentials which could grant access to multiple repositories and accounts.

Why This Matters

There are several ways to authenticate to GitHub from a server: using personal SSH keys (risky), Personal Access Tokens (overly broad access), or repository-specific deploy keys (ideal for scoped access). Deploy keys follow the principle of least privilege, granting the server only the necessary access to pull code, reducing the attack surface and potential damage from compromise. A data breach involving exposed credentials can cost organizations millions of dollars and damage their reputation.

Key Insights

  • SSH key types: ed25519 is a modern, more secure alternative to RSA.
  • Least Privilege: Deploy keys embody this security principle, limiting access to only the required repository.
  • /opt directory: A standard Linux directory for optional software, providing clear separation between system files and deployed applications.

Working Example

# Create a deployment user
sudo adduser --system --group yourappname
sudo mkdir -p /opt/yourappname
sudo chown yourappname:www-data /opt/yourappname

# Generate a deploy key
sudo su - yourappname
ssh-keygen -t ed25519 -C "github-deploy-key-yourappname" -f ~/.ssh/id_ed25519_deploy_yourappname

# Clone the repository
cd /opt/yourappname
git clone git@github-deploy:yourusername/yourappname.git

Practical Applications

  • Web Application Deployment: Companies like DigitalOcean use similar methods to allow secure deployments from private repositories to their managed servers.
  • Pitfall: Using a personal SSH key for deployments grants excessive permissions; if compromised, an attacker gains access to all repositories associated with that key.

References:

Continue reading

Next article

Unrolling the Codex agent loop

Related Content

Jan 23, 2026

How I Eliminated Access Keys from My Deployment Pipeline with OIDC, Terraform, and GitHub Actions

Eliminate AWS access keys in CI/CD pipelines using OIDC, Terraform, and GitHub Actions, reducing security risks and achieving a cost of approximately $0.92 per month.

Read article
Feb 10, 2026

Securing Claude Code with Pipelock

Pipelock scans MCP server responses for prompt injection patterns and credential leaks, protecting Claude Code from potential security threats with a 283 out of 3,984 skills referencing hardcoded credentials.

Read article
Mar 8, 2026

Automating Drupal Security Patching for Enterprise Architectures

Victorstackai details reducing Drupal patch deployment from 72 hours to 45 minutes across 20+ sites using automated CI/CD and visual regression.

Read article