Currently the checkout action doesn't work with private repositories using a private submodule.
As a work-around we use the following in our workflow.
steps:
- name: clone main repository
uses: actions/checkout@v2
- name: clone submodule
uses: actions/checkout@v2
with:
repository: our-organization/private-repo
path: private-repo
ref: v2
ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
persist-credentials: false
It would be good if the checkout action would support some option to provide a different SSH_KEY for private submodules. E.g. SUBMODULE_SSH_KEY could be an organisation level SSH Key that allows pulling the repos.
This worked for me:
https://github.com/actions/checkout/issues/116#issuecomment-644419389
Thanks @marcofranssen, this is just want I needed. this is a partial solution.
For anyone else looking, deploy keys are a partial fix.
The problem with deploy keys and a separate clone submodules step is that you need to keep the submodule ref and the ref in github actions the same, editing the setting in two places.
Personal access tokens as suggested by @beroso work, but either involve giving access to all your repos, or creating a new machine user and adding them as a collaborator, big faff.
It would be great if github could provide a proper and simple way to clone private submodules.
For anyone else having trouble with this, I have a solution that doesn't require personal access tokens but keeps the reference to the child repo commit in one place (using git submodules)
- name: clone submodule
uses: actions/checkout@v2
with:
repository: <org name>/<repo name>
path: path
ssh-key: ${{ secrets.SSH_KEY }}
persist-credentials: true
- name: checkout submodule
run: |
git submodule init
git submodule update
although the action checks out master, the git submodule commands check out the correct commit, this avoids having to keep the ref in github actions.
See, this is what I really want... just the persist-credentials part. then I could have
- uses: actions/deploykey@v?
with: ssh-key
and all it does is make it so the next git command or ssh command can use that key.
Instead of using an SSH key (:scream: ) you can simply use a personal access token:
- uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ secrets.ACCESS_TOKEN }}
Here the ACCESS_TOKEN variable is a personal access token
For anyone else having trouble with this, I have a solution that doesn't require personal access tokens but keeps stores the reference to the child repo commit in one play (using git submodules)
Correct me if I'm wrong, but this wont work for multiple private submodules, because each needs their own deploy key.
I ended up building a rudimentary private package manager for python to get round this problem.
I think the reason github aren't fixing it is that they think the long term solution should be their package manager(s).
I ended up just embedding the private keys for read-only deploy keys in the yml workflow files directly as ENV variables then following this advice with the hard coded strings instead of secrets (which aren't available for free in GitHub Org private repos): https://rgoswami.me/posts/priv-gh-actions/
Hacky and gross, but it works.
Most helpful comment
For anyone else having trouble with this, I have a solution that doesn't require personal access tokens but keeps the reference to the child repo commit in one place (using git submodules)
although the action checks out master, the
git submodulecommands check out the correct commit, this avoids having to keep therefin github actions.