On CI machine, xcodebuild does not use correct .ssh keys for private GitHub SPM

Number:rdar://FB8248693 Date Originated:03.08.2020
Status:Open Resolved:
Product:Xcode Product Version:11.6
Classification:Incorrect/Unexpected Behavior Reproducible:
We are using Bitrise as a CI machine for our project and one of the dependencies is an SPM package, hosted in a private GitHub repository.

Locally, everything works great.

However, when we are trying to configure Bitrise, we always get errors like
Command line invocation:
    /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -resolvePackageDependencies
Resolve Package Graph
Fetching git@github.com:<redacted>.git
xcodebuild: error: Could not resolve package dependencies:
  Authentication failed because the credentials were rejected

On the same machine, 
`git clone git@github.com:<redacted>.git`
works great.

I don’t know if we are doing something wrong, or xcodebuild does not respect the SSH configuration when it resolves the dependencies, or something is not compatible with GitHub SSH.

But we were not able to make it work and had to switch to GitHub Private Access Tokens, which is less secure and less convenient in our case.

GitHub PATs are attached to an account, not a repository. And putting GitHub PAT into CI, gives CI access to all other repositories available from this account, not only to the SPM repo. With SSH keys we could in theory add separate repository-level keys to our main repo and SPM repo.

Steps to reproduce:
Add private GitHub repo as SPM package in Xcode via SSH.
Try to resolve dependencies on a CI like Bitrise.

Private SPM package is resolved correctly, when `git clone` works on the same machine for this repository

Actual result:
`git clone` works, but xcodebuild -resolvePackageDependencies fails with “Authentication failed because the credentials were rejected”


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!