photo of people on building under construction

dev: submodule organization and dealing with private submodules in GitHub actions

0

One of the cool things that GitHub handles pretty well is changing your company's organization. For instance, if you have a secret name, say Acme, then you create an organization and your main repo could be in git@github.com:acme/src, but what if you want to change your name? Then you just click at the top and you can change the name say to git@github.com:realname/src and it automatically redirects everything.

However this fails in a very particular case, if you have a GitHub action using a private submodule, then there is a tricky case where you might think the "not found" is because of this problem, but in reality, if you are recursively checking out submodules, you also need your personal access token as for security reasons, GitHub actions can only see the main repo. And you have to give that key permission for repo and it must use https: and not git@github.com so pretty inconvenient.

Net, net, you probably do not want your GitHub action to work across submodules. But if you do the trick is that you have to create that Personal Access Token and dynamically change all ssh references to https: references in the action. You then stuff that PAT into the SECRETS vault

The reason is that while you can modify the permissions of the default GITHUB_ACTION_TOKEN, you cannot add the repo permission. So this is all kind of a hack, probably the best thing to do is follow the natural rules of GitHub Actions. That is, just operate in your local repository rather than making it a general-purpose (and therefore dangerous runner) 🙂

Related Posts

This site uses Akismet to reduce spam. Learn how your comment data is processed.