Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server #934

Open
nekketsuuu opened this issue Sep 28, 2022 · 2 comments · May be fixed by webfactory/ssh-agent#163
Open

Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server #934

nekketsuuu opened this issue Sep 28, 2022 · 2 comments · May be fixed by webfactory/ssh-agent#163

Comments

@nekketsuuu
Copy link

nekketsuuu commented Sep 28, 2022
edited

I'm using GitHub Enterprise Server (GHES), say https://example.com, and I want to checkout a repository on https://github.com as a git submodule.

But it seems that actions/checkout@v3 with submodules: recursive cannot checkout a submodule located outside our GHES when a URL of the submodule is in SSH format. It raises an error Host key verification failed. after trying to run git submodule update. Full logs are the followings:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule 'another-example' ([email protected]:nekketsuuu/another-example.git) registered for path 'another-example'
  Submodule 'example' ([email protected]:nekketsuuu/example.git) registered for path 'example'
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/another-example'...
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of '[email protected]:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example'. Retry scheduled
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of '[email protected]:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example' a second time, aborting
  Error: The process '/usr/bin/git' failed with exit code 1

What should I do to resolve this error?

Why This Failed

This error is caused by insufficient git configs for insteadOf. Let's see logs before fetching submodules:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://example.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://example.com/.insteadOf
  /usr/bin/git config --global --add url.https://example.com/.insteadOf [email protected]:
  /usr/bin/git config --global --add url.https://example.com/.insteadOf [email protected]:

Here actions/checkout@v3 configures HTTPS instead of SSH for our GHES, but not for github.com. This is because our GITHUB_SERVER_URL is set to example.com. See the following codes.

  • checkout/src/git-source-provider.ts

    Lines 200 to 204 in e6d535c

    if (settings.submodules) {
    // Temporarily override global config
    core.startGroup('Setting up auth for fetching submodules')
    await authHelper.configureGlobalAuth()
    core.endGroup()

  • checkout/src/git-auth-helper.ts

    Lines 134 to 140 in e6d535c

    // Configure HTTPS instead of SSH
    await this.git.tryConfigUnset(this.insteadOfKey, true)
    if (!this.settings.sshKey) {
    for (const insteadOfValue of this.insteadOfValues) {
    await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
    }
    }

  • checkout/src/git-auth-helper.ts

    Lines 65 to 72 in e6d535c

    // Instead of SSH URL
    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
    if (this.settings.workflowOrganizationId) {
    this.insteadOfValues.push(
    `org-${this.settings.workflowOrganizationId}@github.com:`
    )
    }

  • checkout/src/url-helper.ts

    Lines 22 to 28 in e6d535c

    export function getServerUrl(url?: string): URL {
    let urlValue =
    url && url.trim().length > 0
    ? url
    : process.env['GITHUB_SERVER_URL'] || 'https://github.com'
    return new URL(urlValue)
    }
  • And https://docs.github.com/en/[email protected]/actions/learn-github-actions/environment-variables says GITHUB_SERVER_URL is set to "The URL of the GitHub Enterprise Server server. For example: https://[hostname]."

How to Reproduce

Click here to see steps to reproduce the above error

  1. Create a repository on GHES and run git submodule add for a repository on github.com, using SSH URL. Also you can add a repository on GHES as a submodule. Then commit .gitmodules and the submodules.

    [submodule "example"]
	path = example
	url = [email protected]:nekketsuuu/example.git
[submodule "another-example"]
	path = another-example
	url = [email protected]:nekketsuuu/another-example.git

  2. Create a workflow using actions/checkout@v3 to checkout a repository including submodules.

    name: Pull Request CI
on: [pull_request]
jobs:
  example:
    runs-on: [self-hosted, ecs-runner]
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive

  3. Run the workflow.

Environment:

  • GitHub Enterprise Server 3.5.1

  • GitHub Actions on self-hosted runner on Amazon ECS

  • git version 2.25.1

  • Run actions/checkout@v3 with

    submodules: recursive
repository: nekketsuuu/some-repository
token: ***
ssh-strict: true
persist-credentials: true
clean: true
fetch-depth: 1
lfs: false
set-safe-directory: true

Related Issue

#488
@nekketsuuu
Copy link
Author

Workaround

We can avoid this behavior by using HTTPS URL in .gitmodules if you just want to read submodule repositories and the repositories are public on github.com.

 [submodule "example"]
        path = example
-       url = [email protected]:nekketsuuu/example.git
+       url = https://github.com/nekketsuuu/example.git

This was referenced Feb 16, 2023
Open
Closed
@yedidyas
Copy link

Anything new with this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support GitHub Enterprise servers cardoe/ssh-agent
2 participants
@nekketsuuu @yedidyas