I am trying to configure GitHub Actions to connect to my server through SSH using Cloudflared, but I'm encountering the following issue when running the action:

My Action

name: Deploy to Server

on:
  push:
    branches:
      - main

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Cloudflared
        run: |
          sudo mkdir -p --mode=0755 /usr/share/keyrings
          curl -fsSL .gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
          echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg]  jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
          sudo apt-get update && sudo apt-get install cloudflared

      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519

          echo "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts

          cat <<EOF > ~/.ssh/config
          Host ${{ secrets.SSH_HOST }}
            User ${{ secrets.SSH_USER }}
            IdentityFile ~/.ssh/id_ed25519
            ProxyCommand cloudflared access ssh --hostname %h
          EOF
          chmod 600 ~/.ssh/config
        shell: bash

      - name: Deploy via SSH
        run: |
          ssh -vvv -o StrictHostKeyChecking=yes ${{ secrets.SSH_HOST }} "echo 'HelloWorld!'"
        shell: bash

Server Configuration:

• I created an SSH key pair on my local machine, added the private key to GitHub secrets (SSH_PRIVATE_KEY), and added the public key to the authorized_keys file on the server.
• The server is configured with Cloudflared, which uses this configuration:

tunnel: footlab-pi
credentials-file: /etc/cloudflared/e894a30f-3b76-44e1-a530-665abf34a062.json

ingress:
  - hostname: footlab.uk
    service: https://proxy:443
    originRequest:
      originServerName: footlab.uk
  - hostname: ssh.footlab.uk
    service: ssh://host.docker.internal:22
  - service: http_status:404

The SSH subdomain (ssh.footlab.uk) is publicly accessible, and I can connect locally using it.

Error I am Getting:

When the GitHub Action runs, I get the following error:

debug1: Reading configuration data /home/runner/.ssh/config
debug1: /home/runner/.ssh/config line 1: Applying options for ***
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec cloudflared access ssh --hostname ***
debug1: identity file /home/runner/.ssh/id_ed25519 type -1
debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
Error: Process completed with exit code 255.

Question:

What might be the cause of the Connection closed by remote host error, and how can I properly configure the GitHub Action to successfully establish an SSH connection via Cloudflared? Could it be an issue with how Cloudflared is being invoked in the ProxyCommand or something else with the configuration?

What I Have Tried:

• Verified that the SSH private key is correctly added to GitHub secrets and the public key is authorized on the server.
• Checked the server Cloudflared tunnel configuration, which works locally.
• Added debugging (-vvv) to SSH to gather more information about the failure.