GitHub Actions with multiple private submodules

Question

I'm trying to create a GH Actions job, which will download two submodules from private repositories. I want them to be downloaded with SSH keys which I have already generated.

I've been trying to it as so:

      - uses: actions/checkout@v2
        with:
          submodules: repo_1
          ssh-key: ${{ secrets.REPO_1 }}

      - uses: actions/checkout@v2
        with:
          submodules: repo_2
          ssh-key: ${{ secrets.REPO_2 }}

This code will create the folders of repo_1 and repo_2, but will be empty. I have not found a possible solution. Does anyone know how to download multiple private submodules with separate SSH keys?

Answer 1

      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.GH_PAT }}
          submodules: recursive

You will need to create an encrypted secret called GH_PAT to store the personal access token. This token will need (at minimum) read-only access to the "Contents" category of the main repository and of all the submodules.

I tested this with the v3 of the Checkout action, but I think it will work with v2 as well.

Relevant documentation

Answer 2

Found a workaround:

steps:
      - name: Switch to HTTPS git
        run: |
          rm -f ~/.gitconfig
          git config --local --unset url."git@github.com".insteadOf https://github.com || echo "OK"
          git config --local --unset url."git://".insteadOf https:// || echo "OK"

      - uses: actions/checkout@v2

      - name: Switch to SSH git
        run: |
          git config --local --replace-all url."git@github.com".insteadOf https://github.com
          git config --local --add url."git://".insteadOf https://

      - name: Checkout submodules
        env:
          GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no"
        run: |
          eval `ssh-agent -s`

          echo "${{secrets.REPO_1}}" | ssh-add -
          git submodule update --init repo_1
          ssh-add -D


          echo "${{secrets.REPO_2}}" | ssh-add -
          git submodule update --init repo_2
          ssh-add -D

          eval `ssh-agent -k`

Answer 3

The documentation mentions:

# Whether to checkout submodules: `true` to checkout submodules or `recursive` to
    # recursively checkout submodules.
    #
    # When the `ssh-key` input is not provided, SSH URLs beginning with
    # `git@github.com:` are converted to HTTPS.
    #
    # Default: false
    submodules: ''

So submodules: repo_2 should not be correct.

For instance, this is a workflow with a recursive checkout of submodules (inside an existing repository reference)

      # Submodules recursive
      - name: Checkout submodules recursive
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-recursive
          submodules: recursive
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh

It will checkout the repo github.com/actions/checkout branch test-data/v2%2Fsubmodule-ssh-url, which includes a .gitmodules with the names and SSH URL of the submodules.

To answer your original question:

• change your .gitmodules URL with

repo1:org1/repo1
repo2:org2/repo2

• Add GIT_SSH_COMMAND environment variable to ssh -F config, with config being a file with:

Host repo2
  Hostname github.com
  User git
  IdentityFile key2

Host repo2
  Hostname github.com
  User git
  IdentityFile key2

I don't know if it is possible to reference that file, generated with the right secrets.REPO_x, but what I can see from the checkout action is that you won"t have a native way to specify multiple keys for multiple submodule repositories.