Skip to content

NX1X/cloudflare-tunnel-ssh-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

cloudflare-tunnel-ssh-action

GitHub Marketplace Latest Release CI License: Apache 2.0 NXTools Views

Coming in v1.1.0 (currently in testing): multi-server deployment, configurable retry logic, host key verification, custom SSH directives, and a dedicated cleanup action. See feat/v1.1.0 for the work in progress.

Install cloudflared and configure SSH to connect through a Cloudflare Tunnel using a service token - zero-trust CI/CD access without exposing port 22 to the internet.

Part of the NXTools Collection by NX1X.


Quick Start

steps:
  - uses: NX1X/cloudflare-tunnel-ssh-action@v1
    with:
      cf-access-client-id:     ${{ secrets.CF_ACCESS_CLIENT_ID }}
      cf-access-client-secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
      ssh-private-key:         ${{ secrets.SSH_PRIVATE_KEY }}
      ssh-host:                ssh.example.com

  - name: Deploy
    run: ssh deploy@ssh.example.com "cd ~/app && docker compose up -d"

After the action runs, ssh, rsync, scp, and sftp all work in every subsequent step - no wrapper, no per-command setup.

New to this? See the Setup Guide for a complete walkthrough.


Inputs

Input Required Default Description
cf-access-client-id yes - Cloudflare Access service token ID
cf-access-client-secret yes - Cloudflare Access service token secret
ssh-private-key yes - SSH private key (Ed25519 or RSA)
ssh-host yes - SSH hostname routed through the tunnel (e.g. ssh.example.com)
ssh-user no deploy SSH username on the remote server
cloudflared-version no latest Pin a specific cloudflared release (e.g. 2025.4.0)
ssh-key-path no ~/.ssh/id_ed25519 Path to write the SSH private key
connect-timeout no 120 SSH ConnectTimeout in seconds
server-alive-interval no 30 SSH ServerAliveInterval in seconds
test-connection no true Run a test SSH command after setup to verify the tunnel

Supported Runners

Ubuntu/Debian only (installs cloudflared via .deb package):

  • ubuntu-latest (Ubuntu 24.04)
  • ubuntu-22.04
  • ubuntu-20.04

Documentation


Privacy

This action collects no data. No telemetry, no analytics, no external calls. All processing happens on your GitHub Actions runner. The source is fully open - read every line in action.yml.


License

Apache 2.0 - © 2026 NX1X