Unable to clone repo with a deploy key

[nkvojvodic]

We're unable to clone this repo when using the deploy key that's set up in our CircleCI. The key is correctly set up in github as a deploy key and we've been using it since 2021 with no issues (yes, we should probably rotate it). Here's the error message that git returns when trying to clone from within the CircleCI container:

root@408047b2bc79:~# git clone git@github.com:nvm-sh/nvm.git
Cloning into 'nvm'...
ERROR: Permission to nvm-sh/nvm.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Using that same key to clone another public repo (ex: node) works fine so I'm assuming the issue is with this repo's settings rather than a global change.

Can you please look into any recent changes to this repo's settings?

[jennifer-shehane]

We're experiencing the same issue, with a deploy key setup through CircleCI, from within a CircleCI workflow.

[deepakmahakale]

Experiencing the same issue on circleci

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13527  100 13527    0     0   218k      0 --:--:-- --:--:-- --:--:--  220k
=> Downloading nvm from git to '/home/circleci/.nvm'
=> Cloning into '/home/circleci/.nvm'...
ERROR: Permission to nvm-sh/nvm.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Failed to clone nvm repo. Please report this!

Exited with code exit status 2

[cleverrocks]

We just started to face this issue in CircleCI pipeline. Here is the script and error detail:

Script:

#!/bin/bash -eo pipefail
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash
export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
nvm install v16
nvm install 16.13.1
nvm alias default 16.13.1
echo 'export NVM_DIR="$HOME/.nvm"' >> $BASH_ENV
echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> $BASH_ENV

Error:

=> Downloading nvm from git to '/home/circleci/.nvm'
=> Cloning into '/home/circleci/.nvm'...
ERROR: Permission to nvm-sh/nvm.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Failed to clone nvm repo. Please report this!

Exited with code exit status 2

CircleCI received exit code 2

[coiti]

This seems to happen because CircleCI sets git to change all GitHub HTTPS URLs to SSH URLs.

$ git config --list
# ...
url.ssh://git@github.com.insteadof=https://github.com

Is it possible that a deploy key was recently added to this repo?

[anovadox]

An ugly (TEMPORARY!) workaround for people that need this working now: use a user key in CircleCI instead of deploy.

We saw only our repos using deploy keys failing like this, and the few that make use of user keys for various reasons were not failing.

Be sure to make note of any projects you switch to user keys so you can go back and revert them to deploy keys!

[coiti]

Running this command in a step before installing Node fixes the issue:

git config --global --remove-section url."ssh://git@github.com"

Not completely sure about the repercussions though—nor why this config would be needed in the first place.

[ChuckCrawford]

I am curious what changed here. We ran into the same issue described here with "stock" CircleCI pipelines that have deploy keys and use Circle's official node orb.

It feels like this would have a pretty wide blast radius?

[nicklozon]

I too am here because my CircleCI builds are failing, but I can reproduce the issue locally by generating a new SSH key, adding it as a deploy key to a repo, and adding it to my SSH agent with no other keys, so it doesn't seem to be an issue with CircleCI specifically. I was also able to clone other public repos with the same key and configuration.

Edit: I do think it's CircleCI specifically - they must have forced cloning over ssh rather than https with some git config.

[cgrafton]

Same here. At the same time we started receiving the error described in this issue, we also started seeing the same error with a different repo. This leads me to believe CircleCi made a change that affects multiple packages. I will post both errors below, as they both started at the same time. Only the second error is related to this repo, but I think reporting both will help debug this issue.

Download ruby-advisory-db ...
Cloning into '/home/circleci/.local/share/ruby-advisory-db'...
ERROR: Permission to rubysec/ruby-advisory-db.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
failed to download https://github.com/rubysec/ruby-advisory-db.git to "/home/circleci/.local/share/ruby-advisory-db"

Exited with code exit status 1

and

=> Downloading nvm from git to '/home/circleci/.nvm'
=> Cloning into '/home/circleci/.nvm'...
ERROR: Permission to nvm-sh/nvm.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Failed to clone nvm repo. Please report this!

Exited with code exit status 2

[varorav]

Experiencing the same from CircleCI pipelines

[acookin]

cross-posting here just to amplify:

I think this is just an issue across the board with public github repos, we are also seeing:

Cloning into 'bats-core'...
ERROR: Permission to bats-core/bats-core.git denied to deploy key
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

my guess is that either circleci made a change to inject the insteadOf directive into the gitconfig:

~$ cat ~/.gitconfig
[safe]
    directory = *
[url "ssh://git@github.com"]
    insteadOf = https://github.com
[gc]
    auto = 0

or github changed the ability for deploy keys to clone public repos.

[nicklozon]

@acookin I think your gitconfig theory is correct. I can still clone public repos with a deploy key, and that may be dependent on whether the repo being cloned has any deploy keys or not. Considering everyone here is from CircleCI and it's affecting multiple repos, I highly doubt GitHub made any change or it'd have a much larger effect.

[nicklozon]

I've opened a support ticket with CircleCI and I suggest everyone that can do the same so they get eyes on this.

[o0khoiclub0o]

Running this command in a step before installing Node fixes the issue:

git config --global --remove-section url."ssh://git@github.com" Not completely sure about the repercussions though—nor why this config would be needed in the first place.

It works for me, thanks. I added following step before curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash:

      - run:
          name: "Temporary fix for ERROR: Permission to nvm-sh/nvm.git denied to deploy key"
          command: |
            git config --global --remove-section url."ssh://git@github.com"

[nicklozon]

Seems to be working now

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15916  100 15916    0     0   295k      0 --:--:-- --:--:-- --:--:--  298k
=> Downloading nvm from git to '/home/circleci/.nvm'
=> Cloning into '/home/circleci/.nvm'...
remote: Enumerating objects: 378, done.        
remote: Counting objects: 100% (378/378), done.        
remote: Compressing objects: 100% (326/326), done.        
remote: Total 378 (delta 43), reused 163 (delta 25), pack-reused 0 (from 0)        
Receiving objects: 100% (378/378), 375.87 KiB | 34.17 MiB/s, done.
Resolving deltas: 100% (43/43), done.
* (HEAD detached at FETCH_HEAD)
  master

[nkvojvodic]

Confirmed, the issue seems resolved. I checked the .gitconfig files between the failed and successful builds (had SSH sessions open to both containers) and there are no differences. So far it's looking like this was a github issue rather than CircleCI or the settings of a specific repo but that's just guessing from limited info.

I'll keep the issue open for another hour or so just while we confirm the fix is stable and close it out after. Thanks for the group debugging and workarounds everyone!

[nicklozon]

@nkvojvodic you are correct - I was pretty certain it was CircleCI, but I was able to reproduce the issue locally and now I can't, so this was an issue with Github not allowing deploy-keys to clone certain repositories. Interesting.

[cleverrocks]

RESOLVED! It is working Again!!!

[ljharb]

Either way, it's got nothing to do with nvm.