checkout icon indicating copy to clipboard operation
checkout copied to clipboard
verified publisher icon actions

Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server

Open nekketsuuu opened this issue 3 years ago • 2 comments

I'm using GitHub Enterprise Server (GHES), say https://example.com, and I want to checkout a repository on https://github.com as a git submodule.

But it seems that actions/checkout@v3 with submodules: recursive cannot checkout a submodule located outside our GHES when a URL of the submodule is in SSH format. It raises an error Host key verification failed. after trying to run git submodule update. Full logs are the followings:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule 'another-example' ([email protected]:nekketsuuu/another-example.git) registered for path 'another-example'
  Submodule 'example' ([email protected]:nekketsuuu/example.git) registered for path 'example'
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/another-example'...
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of '[email protected]:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example'. Retry scheduled
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of '[email protected]:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example' a second time, aborting
  Error: The process '/usr/bin/git' failed with exit code 1

What should I do to resolve this error?

Why This Failed

This error is caused by insufficient git configs for insteadOf. Let's see logs before fetching submodules:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://example.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://example.com/.insteadOf
  /usr/bin/git config --global --add url.https://example.com/.insteadOf [email protected]:
  /usr/bin/git config --global --add url.https://example.com/.insteadOf [email protected]:

Here actions/checkout@v3 configures HTTPS instead of SSH for our GHES, but not for github.com. This is because our GITHUB_SERVER_URL is set to example.com. See the following codes.

  • https://github.com/actions/checkout/blob/e6d535c99c374d0c3f6d8cd8086a57b43c6c700a/src/git-source-provider.ts#L200-L204
  • https://github.com/actions/checkout/blob/e6d535c99c374d0c3f6d8cd8086a57b43c6c700a/src/git-auth-helper.ts#L134-L140
  • https://github.com/actions/checkout/blob/e6d535c99c374d0c3f6d8cd8086a57b43c6c700a/src/git-auth-helper.ts#L65-L72
  • https://github.com/actions/checkout/blob/e6d535c99c374d0c3f6d8cd8086a57b43c6c700a/src/url-helper.ts#L22-L28
  • And https://docs.github.com/en/[email protected]/actions/learn-github-actions/environment-variables says GITHUB_SERVER_URL is set to "The URL of the GitHub Enterprise Server server. For example: https://[hostname]."

How to Reproduce

Click here to see steps to reproduce the above error

  1. Create a repository on GHES and run git submodule add for a repository on github.com, using SSH URL. Also you can add a repository on GHES as a submodule. Then commit .gitmodules and the submodules.

    [submodule "example"]
	path = example
	url = [email protected]:nekketsuuu/example.git
[submodule "another-example"]
	path = another-example
	url = [email protected]:nekketsuuu/another-example.git

  2. Create a workflow using actions/checkout@v3 to checkout a repository including submodules.

    name: Pull Request CI
on: [pull_request]
jobs:
  example:
    runs-on: [self-hosted, ecs-runner]
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive

  3. Run the workflow.

Environment:

  • GitHub Enterprise Server 3.5.1

  • GitHub Actions on self-hosted runner on Amazon ECS

  • git version 2.25.1

  • Run actions/checkout@v3 with

    submodules: recursive
repository: nekketsuuu/some-repository
token: ***
ssh-strict: true
persist-credentials: true
clean: true
fetch-depth: 1
lfs: false
set-safe-directory: true

Related Issue

https://github.com/actions/checkout/issues/488

nekketsuuu avatar Sep 28 '22 16:09 nekketsuuu

Workaround

We can avoid this behavior by using HTTPS URL in .gitmodules if you just want to read submodule repositories and the repositories are public on github.com.

 [submodule "example"]
        path = example
-       url = [email protected]:nekketsuuu/example.git
+       url = https://github.com/nekketsuuu/example.git

nekketsuuu avatar Sep 29 '22 06:09 nekketsuuu

Anything new with this issue?

yedidyas avatar Feb 25 '24 10:02 yedidyas