Fails because of no rights in private submodule

[neumann-nico]

Behaviour

I am trying to build a docker image and push it to AWS ECR. Before I had the private submodule included into my git repository it worked perfectly. Now I included a private submodule which has further public submodules. And I get the error, that it has no rights to clone the submodule. Using the checkout action and providing a Personal Access Token it works fine.
I don't need the submodule for building the docker image, so I also would be fine to disable cloning the submodule.

Steps to reproduce this issue

1. Run the workflow
2. Crashes at docker/build-push-action@v3 step

Expected behaviour

Should either not clone the submodule or clone it without failing

Actual behaviour

Crashes at docker/build-push-action@v3 step and does not build and publish the image

Configuration

name: Build docker image
on: workflow_dispatch

env:
  AWS_REGION: ...

jobs:
  build:
    name: Build docker image
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
      - uses: aws-actions/amazon-ecr-login@v1

      # This is not nessessary, but just to show how I use actions/checkout which works fine
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}
          submodules: recursive

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build, tag, and push image to Amazon ECR
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/...:latest
          file: docker/.../Dockerfile
          platforms: linux/amd64,linux/arm64
          github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}

Logs

#1 [internal] load git source https://github.com/[...]/[...].git#[sha]
#0 0.046 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
#0 0.106 fatal: Not a valid object name [sha]^{commit}
#1 5.366 From https://github.com/[...]/[...]
# [lists a lot of branches/tags here]

#1 5.702 Submodule '[...]/[...]' (git@github.com:[...]/[...].git) registered for path '[...]/[...]'
#1 5.706 Cloning into '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]'...
#1 6.037 Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
#1 6.209 git@github.com: Permission denied (publickey).
#1 6.209 fatal: Could not read from remote repository.
#1 6.209 
#1 6.209 Please make sure you have the correct access rights
#1 6.209 and the repository exists.
#1 6.210 fatal: clone of 'git@github.com:[...]/[...].git' into submodule path '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]' failed
#1 6.210 Failed to clone '[...]/[...]'. Retry scheduled
#1 6.212 Cloning into '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]'...
#1 6.658 git@github.com: Permission denied (publickey).
#1 6.658 fatal: Could not read from remote repository.
#1 6.658 
#1 6.658 Please make sure you have the correct access rights
#1 6.658 and the repository exists.
#1 6.659 fatal: clone of 'git@github.com:[...]/[...].git' into submodule path '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]' failed
#1 6.660 Failed to clone '[...]/[...]' a second time, aborting
#1 ERROR: failed to update submodules for https://github.com/[...]/[...].git: exit status 1

[thaJeztah]

Looking at the failure, this would probably be better opened as a feature request for BuildKit; https://github.com/moby/buildkit (unless BuildKit already has an option to ignore submodules)

[crazy-max]

@neumann-nico Looking at the logs, an SSH-based auth is required for your submodules:

fatal: clone of 'git@github.com:[...]/[...].git'

We do support this moby/buildkit#1782 and I think you just have to set ssh: default but you also need to set up the ssh agent.

Using the checkout action and providing a Personal Access Token it works fine.

That's interesting, can you show the logs of the checkout action? Maybe this action will fallback to http auth if ssh fails and therefore use the github token? Slightly related to #638 (comment).

[crazy-max]

We also need to document git context auth in our docs: https://docs.docker.com/build/building/context/#git-repositories

[thaJeztah]

@crazy-max I think the request is to skip the submodule; so currently it works if you pass credentials for git, but the request is "what if I don't need the submodule, and don't want to pass credentials"?

[neumann-nico]

Thank you for your replies!
Yes I would be fine with disabling cloning the submodue :)

That's interesting, can you show the logs of the checkout action? Maybe this action will fallback to http auth if ssh fails and therefore use the github token? Slightly related to #638 (comment).

I guess you are right:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://github.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://github.com/.insteadOf
  /usr/bin/git config --global --add url.https://github.com/.insteadOf git@github.com:
  /usr/bin/git config --global --add url.https://github.com/.insteadOf org-[...]@github.com:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule '[...]/[...]' (git@github.com:[...]/[...].git) registered for path '[...]/[...]'
  Cloning into '/home/runner/work/[...]/[...]/[...]/[...]'...
  Submodule path '[...]/[...]': checked out '[sha]'

Persisting credentials for submodules
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'url\.https\:\/\/github\.com\/\.insteadOf' && git config --local --unset-all 'url.https://github.com/.insteadOf' || :
  Entering '[...]/[...]'

   /usr/bin/git submodule foreach --recursive git config --local 'http.https://github.com/.extraheader' 'AUTHORIZATION: basic ***' && git config --local --show-origin --name-only --get-regexp remote.origin.url
  Entering '[...]/[...]'

  /usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' 'git@github.com:'
  Entering '[...]/[...]'

   /usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' 'org-[...]@github.com:'
  Entering '[...]/[...]'

[crazy-max]

  /usr/bin/git config --global --add url.https://github.com/.insteadOf git@github.com:
  /usr/bin/git config --global --add url.https://github.com/.insteadOf org-[...]@github.com:

Looks like this is what we need in BuildKit. cc @tonistiigi

[kalanyuz]

I'm experiencing the exact same issue @crazy-max. However, I do need submodules for the build and cannot use ssh key. Is there a workaround for this?

[keleutos2022]

I am also expiring the same

[crazy-max]

@kalanyuz @keleutos2022 While waiting for #737 (comment) to be implemented on buildkit you can use the checkout action and path context as shown here: https://github.com/docker/build-push-action#path-context

[keleutos2022]

Thank you

[cardoe]

So worth noting that just following the process of the actions/checkout module to use https with the token isn't going to be the silver bullet. That will only work for submodules where that actor has access to that repo via https. There's cases where submodules are only accessible via GitHub deploy keys (which are ssh keys). There's also cases where a submodule could be hosted at a GitHub Enterprise server and this won't work. e.g. actions/checkout#934

[crazy-max]

We also need to document git context auth in our docs: https://docs.docker.com/build/building/context/#git-repositories

this is now documented: https://docs.docker.com/build/building/context/#private-repositories

For #737 (comment), will follow-up on BuildKit repo. Closing in the meantime.