Agent doesn't work with Git inside a Node.js script using a SSH + SSO key on GitHub

I've been trying to switch to using the 1P SSH Agent full-time and while it's working great for my regular servers' SSH and commit signing, the SSH Git(Hub) connections are giving me issues when git is ran from/by a Node.js script when using a key in a repo that uses https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on

The problem

Considering the following SSH config:
```
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Host github.com
IdentityFile ~/.ssh/keys/github.pub
```

Where github.pub is the public key of an SSH key from my vault.

Using the git CLI in a regular context (fish shell 3.5.1 in iTerm2 3.5.0beta9) works fine and prompts the Agent like expected:

However, running inside the same repo but using the git command inside a script causes an error. Considering the following script:
```
import { exec } from "child_process";

(async () => {
exec(
'GIT_SSH_COMMAND="ssh -v" git pull',
{ cwd: process.cwd() },
console.log
);
})();
```

yields the following error when ran


debug1: SSH2_MSG_EXT_INFO received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
debug1: Server accepts key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
sign_and_send_pubkey: signing failed for ED25519 "/Users/damien/.ssh/keys/github.pub" from agent: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.


With those interesting warnings in 1Password's log file when the script runs


WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-session-info/src/macos.rs:37] no top level process found, launchd is missing from process tree
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:426] Unable to get client_info for pid: 1077


My current (hacky) workaround

After battling for two days with my SSH config file I figured out a workaround. It's not pretty but it works fine:

• Remove the Git bit from my main ssh config
• Create another config file in .ssh, named config-git
• Put the Git bit from before in that newly created file
• Set the GIT_SSH_COMMAND value to ssh -F ~/.ssh/config-git
• Export the private key of my Git SSH key
• Run ssh-add --apple-use-keychain <path_to_key_file>
• Now both a regular git pull and the script above works.

---

1Password Version: 1Password for Mac 8.9.12 (80912004)
Extension Version: Not Provided
OS Version: macOS 13.1
Browser:_ Not Provided