Clone private submodule for public project


I’m using drone 0.8.2 and I try to test a repository that has a private submodule.
My .drone.yml config is the following:

    image: plugins/git                                                          
    recursive: true                                                             

And the output is

+ git init
Initialized empty Git repository in /drone/src/
+ git remote add origin
+ git fetch --no-tags origin +refs/heads/docs:
 * branch            docs       -> FETCH_HEAD
 * [new branch]      docs       -> origin/docs
+ git reset --hard -q 66845f079457b1a61afc3fc10e3aa24ea6dcbb5d
+ git config --global
+ git submodule update --init --recursive
Cloning into '/drone/src/'...
fatal: could not read Username for '': No such device or address
fatal: clone of '' into submodule path '/drone/src/' failed
exit status 128

I have to mention that the repository is public, only the submodule is private.
I also tried to do some debugging and I ended up with:


+ cat /root/.netrc
cat: can't open '/root/.netrc': No such file or directory
exit code 1

Do you have some ideas? How can I debug this further?

[EDITED]: clean up output

I have to mention that the repository is public, only the submodule is private.

Drone only provides github credentials to private repositories (eg the netrc file). It does not provide github credentials to public repositories because a) they are not needed to clone public projects and b) for security reasons.

You cannot, therefore, clone a private submodule using the default clone plugin when the main repository is public. You will have to consider alternate approaches. Here are a few ideas you can consider:

  1. Create a custom clone plugin that uses secrets to provide the necessary credentials to clone your private submodule
  2. Disable cloning submodules in the default clone plugin. Add a pipelineline step that clones your submodule. You will need to use secrets to provide this pipeline step with an ssh key. (example below)
kind: pipeline
name: default

  disable: true

  - name: clone
    image: golang
        from_secret: SSH_KEY
      # write the ssh key to disk
      - mkdir /root/.ssh
      - echo -n "$SSH_KEY" > /root/.ssh/id_rsa
      - chmod 600 /root/.ssh/id_rsa

      # add github to known hosts
      - touch /root/.ssh/known_hosts
      - chmod 600 /root/.ssh/known_hosts
      - ssh-keyscan -H > /etc/ssh/ssh_known_hosts 2> /dev/null

      # pull the git submodules
      - git submodule update --init
      - git submodule update --init --recursive

Note that you should proceed with caution here. Your repository is public which means someone could send you a pull requests that attempts to expose and steal your private code or your ssh key.

1 Like


Thanks for your answer!