Coming in v1.1.0 (currently in testing): multi-server deployment, configurable retry logic, host key verification, custom SSH directives, and a dedicated cleanup action. See feat/v1.1.0 for the work in progress.
Install cloudflared and configure SSH to connect through a Cloudflare Tunnel using a service token - zero-trust CI/CD access without exposing port 22 to the internet.
Part of the NXTools Collection by NX1X.
steps:
- uses: NX1X/cloudflare-tunnel-ssh-action@v1
with:
cf-access-client-id: ${{ secrets.CF_ACCESS_CLIENT_ID }}
cf-access-client-secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
ssh-host: ssh.example.com
- name: Deploy
run: ssh deploy@ssh.example.com "cd ~/app && docker compose up -d"After the action runs, ssh, rsync, scp, and sftp all work in every subsequent step - no wrapper, no per-command setup.
New to this? See the Setup Guide for a complete walkthrough.
| Input | Required | Default | Description |
|---|---|---|---|
cf-access-client-id |
yes | - | Cloudflare Access service token ID |
cf-access-client-secret |
yes | - | Cloudflare Access service token secret |
ssh-private-key |
yes | - | SSH private key (Ed25519 or RSA) |
ssh-host |
yes | - | SSH hostname routed through the tunnel (e.g. ssh.example.com) |
ssh-user |
no | deploy |
SSH username on the remote server |
cloudflared-version |
no | latest |
Pin a specific cloudflared release (e.g. 2025.4.0) |
ssh-key-path |
no | ~/.ssh/id_ed25519 |
Path to write the SSH private key |
connect-timeout |
no | 120 |
SSH ConnectTimeout in seconds |
server-alive-interval |
no | 30 |
SSH ServerAliveInterval in seconds |
test-connection |
no | true |
Run a test SSH command after setup to verify the tunnel |
Ubuntu/Debian only (installs cloudflared via .deb package):
ubuntu-latest(Ubuntu 24.04)ubuntu-22.04ubuntu-20.04
- Setup Guide & Examples - full walkthrough, real-world workflows, and troubleshooting
- Roadmap - planned features
- Changelog - version history
- Security - vulnerability reporting and security practices
- Contributing - how to contribute
This action collects no data. No telemetry, no analytics, no external calls. All processing happens on your GitHub Actions runner. The source is fully open - read every line in action.yml.
Apache 2.0 - © 2026 NX1X