Skip to content

Organization ssh url will not support submodule checkout #570

New issue
New issue
Closed
#621
Closed
Organization ssh url will not support submodule checkout#570
#621
Assignees
ericsciple
@bauergeorg

Description

@bauergeorg
bauergeorg
opened on Aug 24, 2021

If you have a repository with submodules of your own organization linked with organization-ssh-url: the checkout will fail!

In detail:
A few weeks ago github changed the ssh-clone-url from: git@github.com:my-org/my-repo.git into org-git12345678@github.com:my-org/my-repo.git. If you generate a repo with submodules liked by the org-ssh-url style your recursive checkout of the submodule will fail with follwoing messages:

  • fatal: Could not read from remote repository.
  • fatal: clone of 'org-12345678@github.com:my-org/my-repo.git' into 'home/...' failed.

Extract of the workflow-file:

      - name: Checkout with submodules
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.CI_PAT }} # is a secret that contains our PAT
          submodules: recursive

Some background info:
I asked the support why they changed the git- into the org-12345678-option months ago.

This change was made to allow users to have a different SSH configuration for organization repositories, as users may use different keys or different accounts for organization repositories.
It is possible to allow org-12345678-options
I asked if it is possible to change the clone-url back into the git-option. Or to set a default in my organization.

There's no way to change the URL displayed by default, but you can still use the git@ URL if you don't need an organization-specific configuration.

To replace the "org-12345678" with "git" is only a workaround. I generated a script which checks all ".gitsubmodule"-files in my organization and report me. It feels a litte crazy...

Proposal:
In the readme you comment:

When the ssh-key input is not provided, SSH URLs beginning with git@github.com: are converted to HTTPS.

Is there an option to convert org-12345678-urls?

Activity

ericsciple

ericsciple commented on Aug 25, 2021

@ericsciple
ericsciple
on Aug 25, 2021
Contributor

@bauergeorg could you clarify the following statement:

A few weeks ago github changed the ssh-clone-url from: git@github.com:my-org/my-repo.git into org-git12345678@github.com:my-org/my-repo.git.

I am not aware of anything that changed on the service. Did your checked-in submodule configuration change in your repo?

bauergeorg

bauergeorg commented on Aug 26, 2021

@bauergeorg
bauergeorg
on Aug 26, 2021
Author

@ericsciple If you copy the ssh url of your organization repo. The displayed ssh url starts with "org-12345678@github.com". In the past it starts with "git@github.com". (I think they changed that around may '21.)

See screenshot below:

image

If you checkout a single repo without submodules both works. But if you have an "org"-format in your ".submodules" file it won't work. You have to hange it into "git@github.com"-style.

bauergeorg

bauergeorg commented on Aug 26, 2021

@bauergeorg
bauergeorg
on Aug 26, 2021
Author

@ericsciple

Did your checked-in submodule configuration change in your repo?

No. ".gitsubmodules" in this style works:

[submodule "example1"]
	path = example1
	url = git@github.com:my-org/example1.git
[submodule "example2"]
	path = example2
	url = git@github.com:my-org/example2.git

And in this style it won't work:

[submodule "example1"]
	path = example1
	url = org-12345678@github.com:my-org/example1.git
[submodule "example2"]
	path = example2
	url = org-12345678@github.com:my-org/example2.git
ericsciple

ericsciple commented on Aug 30, 2021

@ericsciple
ericsciple
on Aug 30, 2021
Contributor

@bauergeorg can you confirm you are not providing the input ssh-key? When not provided, the checkout action will only convert submodule URLs like git@github.com: to https://. From the docs:

    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
    # recursively checkout submodules.
    #
    # When the `ssh-key` input is not provided, SSH URLs beginning with
    # `git@github.com:` are converted to HTTPS.
    #
    # Default: false
    submodules: ''

It's strange that the clone URL in the UI is different for you. Mine are always like git@github.com. I can reach out to folks from the repos team to understand why yours are different.

ericsciple

ericsciple commented on Aug 31, 2021

@ericsciple
ericsciple
on Aug 31, 2021 · edited by ericsciple
Contributor

@bauergeorg i learned the format org-<NUMBER>@github.com: is used when ssh certificate authentication is enabled

from the git docs, it doesn't look like insteadOf supports globs/regexes. However we might be able to construct the value from the info in the GitHub event payload.

Can you add the following step to one of your workflows and confirm whether .repository.owner.id. matches the org-<NUMBER>@github.com: value?

      - name: Dump gitub.event context
        env:
          GITHUB_CONTEXT: ${{ toJson(github.event) }}
        run: echo "$GITHUB_CONTEXT"
bauergeorg

bauergeorg commented on Sep 13, 2021

@bauergeorg
bauergeorg
on Sep 13, 2021
Author

Sorry for late answer:

can you confirm you are not providing the input ssh-key

Yes, of course I activated SSH certificate authentication. But it's not required.

Can you add the following step to one of your workflows and confirm whether .repository.owner.id. matches the org-@github.com: value?

Yes the number matches!

{
  "organization": {...},
  "ref": "refs/heads/main",
  "repository": {
    ...
    "owner": {
      ...
      "id": 79205061,
      "login": "rohmanngmbh",
      ...
    },
    ...
  },
  "sender": {
  ...
  },
  "workflow": ".github/workflows/main.yml"
}
hross
assigned
ericsciple
on Oct 15, 2021
ericsciple

ericsciple commented on Oct 22, 2021

@ericsciple
ericsciple
on Oct 22, 2021
Contributor

draft pr here

i need to do some e2e testing

ericsciple
mentioned this on Oct 22, 2021
bauergeorg

bauergeorg commented on Oct 29, 2021

@bauergeorg
bauergeorg
on Oct 29, 2021
Author

@ericsciple thanks a lot!

ericsciple
closed this as completedin #621on Nov 1, 2021
ericsciple

ericsciple commented on Nov 2, 2021

@ericsciple
ericsciple
on Nov 2, 2021
Contributor

just released v2.4.0, pushing the v2 tag forward now...

cilasbeltrame

cilasbeltrame commented on Nov 25, 2022

@cilasbeltrame
cilasbeltrame
on Nov 25, 2022

hello @ericsciple for me still not working with the below config

[submodule "example1"]
	path = example1
	url = git@github.mydomain.com:my-org/example1.git

the only difference is that we have an additional name, its GH Enterprise, I have git app with token, so i'd like to use HTTPS, its trying to use ssh and we got access denied.

can you help with that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @ericsciple@cilasbeltrame@bauergeorg

    Issue actions
      Organization ssh url will not support submodule checkout · Issue #570 · actions/checkout