Atlantis changing all git sources from ssh to https with Github App, preventing using SSH deploy key for private module repository

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

BACKGROUND: It was agreed with my GitHub org admin that the Atlantis Github app only is only installed on our team's repositories, but provided a read-only Github deploy SSH key for a shared private terraform modules repository.

I have Atlantis set up with a Github App. On top I'm trying to use a Github deploy SSH key to pull private modules, but Atlantis adds an entry to .gitconfig changing all git sources from ssh to https.

The private repository set up with the Github deploy key only has an SSH endpoint. So the connection fails when git changes it to https:

running "/atlantis-data/bin/terraform1.8.0 init -input=false" in "/atlantis-data/repos/myOrg/myRepo/62/default/terraform/atlantis-test": exit status 1

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Downloading git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0 for s3_bucket...
╷
│ Error: Failed to download module
│ 
│   on main.tf line 5:
│    5: module "s3_bucket" {
│ 
│ Could not download module "s3_bucket" (main.tf:5) source code from
│ "git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0":
│ error downloading
│ 'ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0':
│ /usr/bin/git exited with 128: Cloning into
│ '.terraform/modules/s3_bucket'...
│ remote: Repository not found.
│ fatal: repository 'https://github.com/myOrg/myPrivateRepo.git/' not
│ found
│ 
╵

Atlantis is adding the following entry to .gitconfig (code):

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com

It works OK if I manually change the entry so it's less greedy:

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com:myOrg/myRepo.git

I also tried using GIT_CONFIG_GLOBAL to override the file completely… but the git config --global command Atlantis runs just writes to this new file.

And XDG_CONFIG_HOME… but the config files seem to work additively, so nothing I add seem to override the rule Atlantis is adding.

I also tried to set GIT_CONFIG_GLOBAL=/dev/null like the documentations says. so it skips the file and uses the system configuration… but the git config --global command Atlantis runs then throws an error so Atlantis doesn’t start.

I ran out of ideaas, is there any .gitconfig entry or variable that can be used to override this behavior? Or is it necessary to change a application logic?

Environment details

Atlantis version: v0.27.2
Chart version: atlantis-4.25.0
Deployment method: helm to eks

Atlantis server-side config file:

repoConfig: |
  repos:
  - id: /.*/
    plan_requirements: [undiverged]
    apply_requirements: [approved, mergeable, undiverged]
    import_requirements: [approved, mergeable, undiverged]

config:

config: |
  repo-allowlist: github.com/myOrg/myRepo
  checkout-strategy: merge
  enable-diff-markdown-format: true
  hide-prev-plan-comments: true
  autoplan-file-list: '**/*.tf,**/.terraform.lock.hcl'
  autoplan-modules: true
  parallel-apply: true
  parallel-plan: true
  var-file-allowlist: ""

runatlantis / atlantis