Git submodules cannot be checked-out / updated with CI token
This re-hashes what is at https://github.com/gitlabhq/gitlab-ci/issues/332.
Currently, it is very difficult to setup GitLab CI for a project that uses git submodules which cannot be cloned publicly.
There are two problems that prevent this from working automatically:
1) gitlab-ci-multi-runner doesn't generate any code to handle this. One can add a git submodule update --init
in the before_script
, but this is insufficient.
If you stick with SSH, you'll need to $ ssh-keyscan -H $GITLAB_URL >> ~gitlab_ci_runner/.ssh/known_hosts
otherwise your runner machine won't like the gitlab host key. (See 413.) Even after doing that however, (for a private repo), you won't have permission to clone. You can add the runner's public key to the project as a deploy key, but that feels like a hack to me, considering the effort was made to add the gitlab-ci-token in the first place.
The better solution, in my opinion, would be to use git submodule init
, followed by a git submodule foreach --recursive
, which performs the same git remote set-url
as the existing generated scripts. That however, leads us to the second problem:
2) Gitlab will not allow you to use a (per-project) gitlab-ci-token
to clone a different project. So our solution in 1) would not work. I'm not entirely sure how this actually works (GitLab allowing a gitlab-ci-token to be used to clone a project under CI), so I don't know what to suggest as a solution.
Links / References
- Issue for underlying permission challenge: https://gitlab.com/gitlab-org/gitlab-ce/issues/18994