Cannot checkout submodules on github.com from a repository on GitHub Enterprise Server

[nekketsuuu]

I'm using GitHub Enterprise Server (GHES), say https://example.com, and I want to checkout a repository on https://github.com as a git submodule.

But it seems that actions/checkout@v3 with submodules: recursive cannot checkout a submodule located outside our GHES when a URL of the submodule is in SSH format. It raises an error Host key verification failed. after trying to run git submodule update. Full logs are the followings:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule 'another-example' (git@example.com:nekketsuuu/another-example.git) registered for path 'another-example'
  Submodule 'example' (git@github.com:nekketsuuu/example.git) registered for path 'example'
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/another-example'...
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of 'git@github.com:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example'. Retry scheduled
  Cloning into '/home/runner/actions-runner/workdir/some-repository/some-repository/example'...
  Host key verification failed.
  Error: fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Error: fatal: clone of 'git@github.com:nekketsuuu/example.git' into submodule path '/home/runner/actions-runner/workdir/some-repository/some-repository/example' failed
  Failed to clone 'example' a second time, aborting
  Error: The process '/usr/bin/git' failed with exit code 1

What should I do to resolve this error?

Why This Failed

This error is caused by insufficient git configs for insteadOf. Let's see logs before fetching submodules:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://example.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://example.com/.insteadOf
  /usr/bin/git config --global --add url.https://example.com/.insteadOf git@example.com:
  /usr/bin/git config --global --add url.https://example.com/.insteadOf org-1504@github.com:

Here actions/checkout@v3 configures HTTPS instead of SSH for our GHES, but not for github.com. This is because our GITHUB_SERVER_URL is set to example.com. See the following codes.

• checkout/src/git-source-provider.ts

  Lines 200 to 204 in e6d535c

  	if (settings.submodules) {
  	// Temporarily override global config
  	core.startGroup('Setting up auth for fetching submodules')
  	await authHelper.configureGlobalAuth()
  	core.endGroup()

• checkout/src/git-auth-helper.ts

  Lines 134 to 140 in e6d535c

  	// Configure HTTPS instead of SSH
  	await this.git.tryConfigUnset(this.insteadOfKey, true)
  	if (!this.settings.sshKey) {
  	for (const insteadOfValue of this.insteadOfValues) {
  	await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
  	}
  	}

• checkout/src/git-auth-helper.ts

  Lines 65 to 72 in e6d535c

  	// Instead of SSH URL
  	this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
  	this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
  	if (this.settings.workflowOrganizationId) {
  	this.insteadOfValues.push(
  	`org-${this.settings.workflowOrganizationId}@github.com:`
  	)
  	}

• checkout/src/url-helper.ts

  Lines 22 to 28 in e6d535c

  	export function getServerUrl(url?: string): URL {
  	let urlValue =
  	url && url.trim().length > 0
  	? url
  	: process.env['GITHUB_SERVER_URL'] || 'https://github.com'
  	return new URL(urlValue)
  	}

• And https://docs.github.com/en/enterprise-server@3.5/actions/learn-github-actions/environment-variables says GITHUB_SERVER_URL is set to "The URL of the GitHub Enterprise Server server. For example: https://[hostname]."

How to Reproduce

Click here to see steps to reproduce the above error

1. Create a repository on GHES and run git submodule add for a repository on github.com, using SSH URL. Also you can add a repository on GHES as a submodule. Then commit .gitmodules and the submodules.

   [submodule "example"]
   	path = example
   	url = git@github.com:nekketsuuu/example.git
   [submodule "another-example"]
   	path = another-example
   	url = git@example.com:nekketsuuu/another-example.git

2. Create a workflow using actions/checkout@v3 to checkout a repository including submodules.

   name: Pull Request CI
   on: [pull_request]
   jobs:
     example:
       runs-on: [self-hosted, ecs-runner]
       steps:
         - uses: actions/checkout@v3
           with:
             submodules: recursive

3. Run the workflow.

Environment:

• GitHub Enterprise Server 3.5.1

• GitHub Actions on self-hosted runner on Amazon ECS

• git version 2.25.1

• Run actions/checkout@v3 with

  submodules: recursive
  repository: nekketsuuu/some-repository
  token: ***
  ssh-strict: true
  persist-credentials: true
  clean: true
  fetch-depth: 1
  lfs: false
  set-safe-directory: true
  

Related Issue

#488

[nekketsuuu]

Workaround

We can avoid this behavior by using HTTPS URL in .gitmodules if you just want to read submodule repositories and the repositories are public on github.com.

 [submodule "example"]
        path = example
-       url = git@github.com:nekketsuuu/example.git
+       url = https://github.com/nekketsuuu/example.git

[yedidyas]

Anything new with this issue?