From afa48b9ec27a20ca07547c7827b0db67888229c5 Mon Sep 17 00:00:00 2001
From: David Stern <david@warp.dev>
Date: Mon, 13 Apr 2026 22:10:25 -0400
Subject: [PATCH] Add `ssh_key` secret parameter to support sync
 `setup_command`.

---
 .github/workflows/sync.yml       | 9 +++++++++
 examples/consuming-repo-sync.yml | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 910b891..bddc94f 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -56,6 +56,9 @@ on:
       warp_api_key:
         description: "Warp API key."
         required: true
+      ssh_key:
+        description: "Optional SSH private key for accessing private dependencies (e.g. private crates) during the setup command."
+        required: false
 
 concurrency:
   group: repo-sync-${{ github.repository == inputs.private_repo && 'private-to-public' || 'public-to-private' }}-${{ github.repository }}-${{ github.repository == inputs.private_repo && inputs.public_repo || inputs.private_repo }}
@@ -117,6 +120,12 @@ jobs:
       - name: Build conflict resolution agent image
         run: docker build -f .repo-sync/docker/conflict-resolution/Dockerfile -t repo-sync-conflict-resolution .repo-sync
 
+      - name: Setup SSH keys
+        if: secrets.ssh_key != ''
+        uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_key }}
+
       - name: Run setup command
         if: inputs.setup_command != ''
         run: ${{ inputs.setup_command }}
diff --git a/examples/consuming-repo-sync.yml b/examples/consuming-repo-sync.yml
index 9846d1f..93cfdda 100644
--- a/examples/consuming-repo-sync.yml
+++ b/examples/consuming-repo-sync.yml
@@ -60,6 +60,8 @@ jobs:
       # public_to_private_fixup_script: scripts/post-cherry-pick-fixup.sh
     secrets:
       app_private_key: ${{ secrets.REPO_SYNC_APP_PRIVATE_KEY }}
+      # Optional SSH key for fetching private dependencies during setup.
+      # ssh_key: ${{ secrets.REPO_SYNC_SSH_KEY }}
 
   # -----------------------------------------------------------------------
   # Restack: triggered when a sync PR is merged.