Support for private submodules of private superprojects

[pbasista]

Hi, I have noticed that this GitHub action supports checking out git submodules. I have also noticed that it supports configuring a private SSH key for accessing the repositories that are supposed to be checked out.

However, it seems like in such a scenario it is currently impossible to use only one SSH key that has access to a private submodule but does not have access to the superproject (the repository it is embedded in).

Consider a scenario where a private GitHub repository org/A has a private GitHub repository org/B as a submodule.

User creates a Deploy key for org/B. And they attempt to use it in a workflow within org/A for checking out the org/B submodule via this action. I am unsure how to achieve that.

When the SSH key is not set up, then checkout of org/A succeeds. But checkout of org/B fails because the workflow runs on repository org/A and there is no private key for accessing org/B.

If the SSH key is set up to the Deploy key of org/B, then the checkout of org/B might succeed. But the checkout of org/A fails due to the mentioned SSH key. It seems like it is used to check out all GitHub repositories, including the repository on which the workflow runs. And the configured Deploy key for org/B does not have access to org/A.

Is there a way to configure this GitHub action to only use the provided SSH key to check out repositories that are different than the repository where the workflow runs? I would ideally like to avoid creating another Deploy key for org/A and then use it within a workflow on the same repository.

The SSH keys I use as the Deploy keys already use the comment format git@github.com:owner/repo.git that is recommended by the webfactory/ssh-agent action. But it seems to have no effect within the checkout action.

[sfullerbeckman]

I also have been trying to do the same thing and haven't figured it out. Either there is a way that I am just missing or this hasn't been implemented yet. I openned a discussion here. https://github.com/actions/checkout/discussions/928

[cardoe]

Relates to #973

[carlspring]

Any updates on this?

[segunjkf]

I am also having the same error. Any update on this?

[plakhin]

I have org-x/repo-a with a submodule that is org-x/repo-b - another private repository of the same organization.

Getting not found error:

  Submodule 'resources' (git@github.com:org-x/repo-b.git) registered for path 'resources'
  Cloning into '/home/runner/work/repo-a/repo-a/resources'...
  remote: Repository not found.
  Error: fatal: repository 'https://github.com/org-x/repo-b.git/' not found
  Error: fatal: clone of 'git@github.com:org-x/repo-b.git' into submodule path '/home/runner/work/repo-a/repo-a/resources' failed

Anybody knows how to solve?

[lesterli]

@carlspring @segunjkf @plakhin You can use submodules and ssh-key, and config a repository secret SSH_KEY for superproject repo (org/A or org-x/repo-a), the SSH_KEY's value is the SSH private key associated with your GitHub account.

      - uses: actions/checkout@v3
        with:
          ssh-key: ${{ secrets.SSH_KEY }}
          submodules: true

It works fine.

[sfullerbeckman]

See my solution here: https://github.com/actions/checkout/discussions/928#discussioncomment-3871262