Search code examples
gitjenkinsjenkins-pipelinegit-submodules

How to checkout git submodule with different deploy key in declarative pipeline

I have a project hosted in a Enterprise GitHub instance. The project references a sub module in the same instance.

  • For accessing the main project, I configured the "DeployKey_1" in Github repository.

  • For accessing the submodule project, I configured the "DeployKey_2" in Github repository.

Note: I can't use the same deploy key on GitHub Enterprise: Key Already in Use

The Jenkins Job is defined as Multibranch pipeline and I use the checkout command in the Jenkinsfile:

checkout([
    $class: 'GitSCM',
    branches: scm.branches,
    doGenerateSubmoduleConfigurations: scm.doGenerateSubmoduleConfigurations,
    extensions: [[$class: 'SubmoduleOption', disableSubmodules: false, parentCredentials: false, recursiveSubmodules: true, reference: '', trackingSubmodules: false]],
    userRemoteConfigs: scm.userRemoteConfigs
])

I tried both option: Set parentCredentials: true and parentCredentials: false, but both are resulting in this error when executing the job:

hudson.plugins.git.GitException: Command "git submodule update --init --recursive my-submodule" returned status code 1: stdout: stderr: Cloning into '/private/tmp/workspace/project_develop/my-submodule'... [email protected]: Permission denied (publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists. fatal: clone of '[email protected]:myorga/my-submodule.git' into submodule path '/private/tmp/workspace/project_develop/my-submodule' failed Failed to clone 'my-submodule'. Retry scheduled Cloning into '/private/tmp/workspace/project_develop/my-submodule'... [email protected]: Permission denied (publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights

Both deploy keys are available on Jenkins. So, how can I checkout the submodules? How can I tell the checkout command to use a specific credentials-id when checking out the submodule?

Solution

  • I think that's to far down to git configuration, and too much of of edge use case for SCM to support that.

    As for options with GitSCM there submoduleCfg, but it only allows you to do as much as set the name and branch of the submodule.

    package hudson.plugins.git;

public class SubmoduleConfig implements java.io.Serializable {
    private static final long serialVersionUID = 1L;
    String   submoduleName;
    String[] branches;

    If you would move from using a key to credentials, then you could update your submodule configuration with hardcoded user/password.

    git submodule init
git config submodule.my_submodule.url "https://username:password@url/my_submodule.git"
git submodule update