Skip to content

Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server #934

New issue
New issue
Open
webfactory/ssh-agent
#163
Open
Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server#934
webfactory/ssh-agent
#163
@nekketsuuu

Description

@nekketsuuu
nekketsuuu
opened on Sep 28, 2022

I'm using GitHub Enterprise Server (GHES), say https://example.com, and I want to checkout a repository on https://github.com as a git submodule.

But it seems that actions/checkout@v3 with submodules: recursive cannot checkout a submodule located outside our GHES when a URL of the submodule is in SSH format. It raises an error Host key verification failed. after trying to run git submodule update. Full logs are the followings:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule 'another-example' (git@example.com:nekketsuuu/another-example.git) registered for path 'another-example'
  Submodule 'example' (git@github.com:nekketsuuu/example.git) registered for path 'example'
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/another-example'...
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of 'git@github.com:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example'. Retry scheduled
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of 'git@github.com:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example' a second time, aborting
  Error: The process '/usr/bin/git' failed with exit code 1

What should I do to resolve this error?

Why This Failed

This error is caused by insufficient git configs for insteadOf. Let's see logs before fetching submodules:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://example.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://example.com/.insteadOf
  /usr/bin/git config --global --add url.https://example.com/.insteadOf git@example.com:
  /usr/bin/git config --global --add url.https://example.com/.insteadOf org-1504@github.com:

Here actions/checkout@v3 configures HTTPS instead of SSH for our GHES, but not for github.com. This is because our GITHUB_SERVER_URL is set to example.com. See the following codes.

  • checkout/src/git-source-provider.ts

    Lines 200 to 204 in e6d535c

    if (settings.submodules) {
    // Temporarily override global config
    core.startGroup('Setting up auth for fetching submodules')
    await authHelper.configureGlobalAuth()
    core.endGroup()

  • checkout/src/git-auth-helper.ts

    Lines 134 to 140 in e6d535c

    // Configure HTTPS instead of SSH
    await this.git.tryConfigUnset(this.insteadOfKey, true)
    if (!this.settings.sshKey) {
    for (const insteadOfValue of this.insteadOfValues) {
    await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
    }
    }

  • checkout/src/git-auth-helper.ts

    Lines 65 to 72 in e6d535c

    // Instead of SSH URL
    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
    if (this.settings.workflowOrganizationId) {
    this.insteadOfValues.push(
    `org-${this.settings.workflowOrganizationId}@github.com:`
    )
    }

  • checkout/src/url-helper.ts

    Lines 22 to 28 in e6d535c

    export function getServerUrl(url?: string): URL {
    let urlValue =
    url && url.trim().length > 0
    ? url
    : process.env['GITHUB_SERVER_URL'] || 'https://github.com'
    return new URL(urlValue)
    }
  • And https://docs.github.com/en/enterprise-server@3.5/actions/learn-github-actions/environment-variables says GITHUB_SERVER_URL is set to "The URL of the GitHub Enterprise Server server. For example: https://[hostname]."

How to Reproduce

Click here to see steps to reproduce the above error

  1. Create a repository on GHES and run git submodule add for a repository on github.com, using SSH URL. Also you can add a repository on GHES as a submodule. Then commit .gitmodules and the submodules.

    [submodule "example"]
	path = example
	url = git@github.com:nekketsuuu/example.git
[submodule "another-example"]
	path = another-example
	url = git@example.com:nekketsuuu/another-example.git

  2. Create a workflow using actions/checkout@v3 to checkout a repository including submodules.

    name: Pull Request CI
on: [pull_request]
jobs:
  example:
    runs-on: [self-hosted, ecs-runner]
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive

  3. Run the workflow.

Environment:

  • GitHub Enterprise Server 3.5.1

  • GitHub Actions on self-hosted runner on Amazon ECS

  • git version 2.25.1

  • Run actions/checkout@v3 with

    submodules: recursive
repository: nekketsuuu/some-repository
token: ***
ssh-strict: true
persist-credentials: true
clean: true
fetch-depth: 1
lfs: false
set-safe-directory: true

Related Issue

#488

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions