Failed to checkout submodule

[yinonov]

Trying to checkout a repo with single submodule in it.

• both repos are part of the same organization
• both repos are private
• organization requires sso and ssh keys to access repos

the workflow fails at the following

steps:
  - name: Checkout
     uses: actions/checkout@v2
     with:
       ref: develop
       ssh-key: ${{ secrets.SSH_KEY }}
       submodules: true 

the failure message

Load key "/home/runner/work/_temp/dc2e5ba9-c8ee-424c-a39b-a15919ec6f72": invalid format
git@github.com: Permission denied (publickey).
##[error]fatal: Could not read from remote repository.

Not sure if I miss coded the flow, but it's unclear why I'm not able to access the remote repo with the SSH_KEY

[ericsciple]

Load key "/home/runner/work/_temp/dc2e5ba9-c8ee-424c-a39b-a15919ec6f72": invalid format

Is secrets.SSH_KEY the private key? Is it protected by a passphrase?

For that error, saw some interesting troubleshooting here throughout the various answers/comments. Especially the ones about different versions of OpenSSL and "Perhaps it has accidentally enabled FIPS mode and refuses any algorithms except those part of its original FIPS validation". It makes me wonder whether you are using a job container (may have an insufficient version OpenSSL), if so have you tried on the host machine instead (e.g. runs-on: ubuntu-latest)?

[ericsciple]

Also if it helps for troubleshooting, I think the following script should mostly preserve the characters accurately and dump the value to disk (havent tested, may need to write an extra line ending?):

jobs:
  runs-on: ubuntu-latest
  steps:
    - run: |
        echo "$MY_PRIVATE_KEY" > mykey
      env:
        MY_PRIVATE_KEY: ${{ secrets.SSH_KEY }}

Also could try steps here to create a new SSH key. Although would need to skip passphrase step

[yinonov]

I re-created the ssh key several times. switch to token instead for now as I think our organization disabled ssh-key authorization (except when used locally on machines). is it probable?
I've been meaning also to try out deploy keys. can they act as ssh-key?

[stijndehaes]

I tried this with deploy keys but these are only allowed to be deployed to one project. So you can't use it to checkout multiple projects. Not sure what the best way to do this is.

[samuelematias]

I have the same problem.
The project I'm using Actions is in an organization and the private repo I try to clone at the time of the build (e.g. org lib), the build fails saying it doesn't find the repository. I've tried everything, but nothing resolves.

[samuelematias]

I have the same problem.
The project I'm using Actions is in an organization and the private repo I try to clone at the time of the build (e.g. org lib), the build fails saying it doesn't find the repository. I've tried everything, but nothing resolves.

After 3 days, with this problem, I ended up managing to solve it, with the following steps:

1 - Create a new SSH PRIVATE KEY with ENABLE SSO and WITHOUT A PASSPHRASE SET ON THE PRIVATE KEY.

Follow this steps to create this ssh key, and in the password / confirm password part, press ENTER on both, that you will create it without the passphrase.
In my case, the repo both repos (app with actions and private repo/lib) are within an organization, so I had to activate the ENABLE SSO for this SHH KEY. To activate, go to YOUR GITHUB PROFILE -> SETTINGS -> SSH AND GPG KEYS, after click on NEW SSH KEY, after give a title to your SSH KEY, after copy your SSH KEY from the id_rsa.pub one you just created using this command on the terminal: pbcopy < ~/.ssh/id_rsa.pub and paste on KEY input, after this, click on ADD SHH KEY, and finally click on ENABLE SSO.

2 - Use the ssh-agent Action (Available on Actions Marketplace).

Follow this steps of Usage and REMEMBER! Use the SSH key should start with -----BEGIN ... PRIVATE KEY-----, consist of many lines and ends with -----END ... PRIVATE KEY-----,this key is in the ida_rsa file. Take the one you just created, open it in your text editor and COPY EVERYTHING! to the line at the blank end.

After all this process, it worked here 🚀!

I hope this helps to resolve the issue of you guys too.

Thanks!

[retorquere]

@samuelematias and you did not provide an ssh-key to the checkout action? Wouldn't that have it use an https url for checkout?

[ruohola]

Is secrets.SSH_KEY the private key? Is it protected by a passphrase?

Thanks! That was my problem. There doesn't seem to be any way to have a passphrase in the ssh-key.

[longquanzheng]

@samuelematias and you did not provide an ssh-key to the checkout action? Wouldn't that have it use an https url for checkout?

thanks for that hint. I swtiched to use HTTPS url and it works.