Possible conflict with webfactory/ssh-agent when using submodules

[mpdude]

Hey there 👋🏻 ,

I am one of the persons maintaining https://github.com/webfactory/ssh-agent, an action to set up the ssh-agent with keys stored in GHA secrets. Once keys are loaded into the SSH agent, git operations and also various package managers that build on top of it should be able to clone other private repos just fine.

In the case of using GitHub Deployment Keys – which are scoped to a single repository – we need a bit of trickery to make git use the right SSH key depending on the repo that shall be cloned. Details are here: https://github.com/webfactory/ssh-agent#support-for-github-deploy-keys.

Now there are reports (https://github.com/webfactory/ssh-agent/issues/91, https://github.com/webfactory/ssh-agent/issues/92) that when using the actions/checkout submodules switch, the webfactory/ssh-agent action stops working or it depends on the order in which actions/checkout and webfactory/ssh-agent are executed. I am not sure if that applies to scenarios with multiple deployment keys only, or to cloning repositories in general.

One hint given in https://github.com/webfactory/ssh-agent/issues/91#issuecomment-903044650 is that this action here does

"C:\Program Files\Git\bin\git.exe" config --global --unset-all url.https://github.com/.insteadOf

... although I still don't see the full picture yet 🧩. There is also this discussion.

I am opening this issue to discuss how we could best co-ordinate between both actions (or to learn what we're doing wrong on our side?).

Ideally, webfactory/ssh-agent should be usable both before and after actions/checkout.

And, when having to clone submodules from private repos with SSH deploy keys, it should be possible to have it before actions/checkout, specify: submodules: true|recursive for actions/checkout and have submodules cloned with the registered SSH keys without further ado.

[landsman]

I would love to see answer for this 😢