-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fails because of no rights in private submodule #737
Comments
Looking at the failure, this would probably be better opened as a feature request for BuildKit; https://github.com/moby/buildkit (unless BuildKit already has an option to ignore submodules) |
@neumann-nico Looking at the logs, an SSH-based auth is required for your submodules:
We do support this moby/buildkit#1782 and I think you just have to set
That's interesting, can you show the logs of the checkout action? Maybe this action will fallback to http auth if ssh fails and therefore use the github token? Slightly related to #638 (comment). |
We also need to document git context auth in our docs: https://docs.docker.com/build/building/context/#git-repositories |
@crazy-max I think the request is to skip the submodule; so currently it works if you pass credentials for |
Thank you for your replies!
I guess you are right: Setting up auth for fetching submodules
/usr/bin/git config --global http.https://github.com/.extraheader AUTHORIZATION: basic ***
/usr/bin/git config --global --unset-all url.https://github.com/.insteadOf
/usr/bin/git config --global --add url.https://github.com/.insteadOf [email protected]:
/usr/bin/git config --global --add url.https://github.com/.insteadOf org-[...]@github.com:
Fetching submodules
/usr/bin/git submodule sync --recursive
/usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
Submodule '[...]/[...]' ([email protected]:[...]/[...].git) registered for path '[...]/[...]'
Cloning into '/home/runner/work/[...]/[...]/[...]/[...]'...
Submodule path '[...]/[...]': checked out '[sha]'
Persisting credentials for submodules
/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'url\.https\:\/\/github\.com\/\.insteadOf' && git config --local --unset-all 'url.https://github.com/.insteadOf' || :
Entering '[...]/[...]'
/usr/bin/git submodule foreach --recursive git config --local 'http.https://github.com/.extraheader' 'AUTHORIZATION: basic ***' && git config --local --show-origin --name-only --get-regexp remote.origin.url
Entering '[...]/[...]'
/usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' '[email protected]:'
Entering '[...]/[...]'
/usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' 'org-[...]@github.com:'
Entering '[...]/[...]' |
Looks like this is what we need in BuildKit. cc @tonistiigi |
I'm experiencing the exact same issue @crazy-max. However, I do need submodules for the build and cannot use ssh key. Is there a workaround for this? |
I am also expiring the same |
@kalanyuz @keleutos2022 While waiting for #737 (comment) to be implemented on buildkit you can use the checkout action and path context as shown here: https://github.com/docker/build-push-action#path-context |
Thank you |
So worth noting that just following the process of the actions/checkout module to use https with the token isn't going to be the silver bullet. That will only work for submodules where that actor has access to that repo via https. There's cases where submodules are only accessible via GitHub deploy keys (which are ssh keys). There's also cases where a submodule could be hosted at a GitHub Enterprise server and this won't work. e.g. actions/checkout#934 |
this is now documented: https://docs.docker.com/build/building/context/#private-repositories For #737 (comment), will follow-up on BuildKit repo. Closing in the meantime. |
Behaviour
I am trying to build a docker image and push it to AWS ECR. Before I had the private submodule included into my git repository it worked perfectly. Now I included a private submodule which has further public submodules. And I get the error, that it has no rights to clone the submodule. Using the checkout action and providing a Personal Access Token it works fine.
I don't need the submodule for building the docker image, so I also would be fine to disable cloning the submodule.
Steps to reproduce this issue
docker/build-push-action@v3
stepExpected behaviour
Actual behaviour
Configuration
Logs
The text was updated successfully, but these errors were encountered: