update README

Author: johnstcn

README.md

@@ -185,6 +185,24 @@ envbuilder will assume SSH authentication. You have the following options:
       ghcr.io/coder/envbuilder
    ```
 
+1. Fetch the SSH key from Coder: as long as `CODER_AGENT_URL` and
+   `CODER_AGENT_TOKEN` are set, then envbuilder will attempt to fetch the
+   corresponding Git SSH key directly from Coder. Example:
+
+   ```terraform
+    resource "docker_container" "workspace" {
+      count = data.coder_workspace.me.start_count
+      image = "ghcr.io/coder/envbuilder:version"
+      name  =
+      "coder-${data.coder_workspace.me.owner}-${lower(data.coder_workspace.me.name)}"
+
+      env = [
+        "CODER_AGENT_TOKEN=${coder_agent.dev.token}",
+        "CODER_AGENT_URL=${data.coder_workspace.me.access_url}",
+        ...
+      ]
+   ```
+
 1. Agent-based authentication: set `SSH_AUTH_SOCK` and mount in your agent socket, for example:
 
   ```bash

git.go

@@ -176,6 +176,13 @@ func LogHostKeyCallback(log LoggerFunc) gossh.HostKeyCallback {
 // If SSH_PRIVATE_KEY_PATH is set, an SSH private key will be read from
 // that path and the SSH auth method will be configured with that key.
 //
+// If no SSH_PRIVATE_KEY_PATH is set, but CODER_AGENT_URL and CODER_AGENT_TOKEN
+// are both specified, envbuilder will attempt to fetch the corresponding
+// Git SSH key for the user.
+//
+// Otherwise, SSH authentication will fall back to SSH_AUTH_SOCK, in which
+// case SSH_AUTH_SOCK must be set to the path of a listening SSH agent socket.
+//
 // If SSH_KNOWN_HOSTS is not set, the SSH auth method will be configured
 // to accept and log all host keys. Otherwise, host key checking will be
 // performed as usual.