Clone private submodule for public project

vtemian · December 22, 2017, 2:35pm

Hi,

I’m using drone 0.8.2 and I try to test a repository that has a private submodule.
My .drone.yml config is the following:

clone:                                                                          
  default:                                                                      
    image: plugins/git                                                          
    recursive: true                                                             
    submodule_override:                                                         
       docs-theme: https://github.com/PressLabs/docs-theme.git                  
                                                                                
pipeline:
...

And the output is

+ git init
Initialized empty Git repository in /drone/src/github.com/PressLabs/gitfs/.git/
+ git remote add origin https://github.com/PressLabs/gitfs.git
+ git fetch --no-tags origin +refs/heads/docs:
From https://github.com/PressLabs/gitfs
 * branch            docs       -> FETCH_HEAD
 * [new branch]      docs       -> origin/docs
+ git reset --hard -q 66845f079457b1a61afc3fc10e3aa24ea6dcbb5d
+ git config --global submodule.docs-theme.url https://github.com/PressLabs/docs-theme.git
+ git submodule update --init --recursive
Cloning into '/drone/src/github.com/PressLabs/gitfs/docs-theme'...
fatal: could not read Username for 'https://github.com': No such device or address
fatal: clone of 'https://github.com/PressLabs/docs-theme.git' into submodule path '/drone/src/github.com/PressLabs/gitfs/docs-theme' failed
exit status 128

I have to mention that the repository is public, only the submodule is private.
I also tried to do some debugging and I ended up with:

+ echo $DRONE_REPO_PRIVATE

+ cat /root/.netrc
cat: can't open '/root/.netrc': No such file or directory
exit code 1

Do you have some ideas? How can I debug this further?

[EDITED]: clean up output

bradrydzewski · December 22, 2017, 2:46pm

I have to mention that the repository is public, only the submodule is private.

Drone only provides github credentials to private repositories (eg the netrc file). It does not provide github credentials to public repositories because a) they are not needed to clone public projects and b) for security reasons.

You cannot, therefore, clone a private submodule using the default clone plugin when the main repository is public. You will have to consider alternate approaches. Here are a few ideas you can consider:

Create a custom clone plugin that uses secrets to provide the necessary credentials to clone your private submodule
Disable cloning submodules in the default clone plugin. Add a pipelineline step that clones your submodule. You will need to use secrets to provide this pipeline step with an ssh key. (example below)

kind: pipeline
name: default

clone:
  disable: true

steps:
  - name: clone
    image: golang
    environment:
      SSH_KEY:
        from_secret: SSH_KEY
    commands: 
      # write the ssh key to disk
      - mkdir /root/.ssh
      - echo -n "$SSH_KEY" > /root/.ssh/id_rsa
      - chmod 600 /root/.ssh/id_rsa

      # add github to known hosts
      - touch /root/.ssh/known_hosts
      - chmod 600 /root/.ssh/known_hosts
      - ssh-keyscan -H github.com > /etc/ssh/ssh_known_hosts 2> /dev/null

      # pull the git submodules
      - git submodule update --init
      - git submodule update --init --recursive

Note that you should proceed with caution here. Your repository is public which means someone could send you a pull requests that attempts to expose and steal your private code or your ssh key.

vtemian · December 22, 2017, 3:12pm

Awesome!

Thanks for your answer!