Organization ssh url will not support submodule checkout

[bauergeorg]

If you have a repository with submodules of your own organization linked with organization-ssh-url: the checkout will fail!

In detail:
A few weeks ago github changed the ssh-clone-url from: git@github.com:my-org/my-repo.git into org-git12345678@github.com:my-org/my-repo.git. If you generate a repo with submodules liked by the org-ssh-url style your recursive checkout of the submodule will fail with follwoing messages:

• fatal: Could not read from remote repository.
• fatal: clone of 'org-12345678@github.com:my-org/my-repo.git' into 'home/...' failed.

Extract of the workflow-file:

      - name: Checkout with submodules
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.CI_PAT }} # is a secret that contains our PAT
          submodules: recursive

Some background info:
I asked the support why they changed the git- into the org-12345678-option months ago.

This change was made to allow users to have a different SSH configuration for organization repositories, as users may use different keys or different accounts for organization repositories.
It is possible to allow org-12345678-options
I asked if it is possible to change the clone-url back into the git-option. Or to set a default in my organization.

There's no way to change the URL displayed by default, but you can still use the git@ URL if you don't need an organization-specific configuration.

To replace the "org-12345678" with "git" is only a workaround. I generated a script which checks all ".gitsubmodule"-files in my organization and report me. It feels a litte crazy...

Proposal:
In the readme you comment:

When the ssh-key input is not provided, SSH URLs beginning with git@github.com: are converted to HTTPS.

Is there an option to convert org-12345678-urls?

[ericsciple]

@bauergeorg could you clarify the following statement:

A few weeks ago github changed the ssh-clone-url from: git@github.com:my-org/my-repo.git into org-git12345678@github.com:my-org/my-repo.git.

I am not aware of anything that changed on the service. Did your checked-in submodule configuration change in your repo?

[bauergeorg]

@ericsciple If you copy the ssh url of your organization repo. The displayed ssh url starts with "org-12345678@github.com". In the past it starts with "git@github.com". (I think they changed that around may '21.)

See screenshot below:

If you checkout a single repo without submodules both works. But if you have an "org"-format in your ".submodules" file it won't work. You have to hange it into "git@github.com"-style.

[bauergeorg]

@ericsciple

Did your checked-in submodule configuration change in your repo?

No. ".gitsubmodules" in this style works:

[submodule "example1"]
	path = example1
	url = git@github.com:my-org/example1.git
[submodule "example2"]
	path = example2
	url = git@github.com:my-org/example2.git

And in this style it won't work:

[submodule "example1"]
	path = example1
	url = org-12345678@github.com:my-org/example1.git
[submodule "example2"]
	path = example2
	url = org-12345678@github.com:my-org/example2.git

[ericsciple]

@bauergeorg can you confirm you are not providing the input ssh-key? When not provided, the checkout action will only convert submodule URLs like git@github.com: to https://. From the docs:

    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
    # recursively checkout submodules.
    #
    # When the `ssh-key` input is not provided, SSH URLs beginning with
    # `git@github.com:` are converted to HTTPS.
    #
    # Default: false
    submodules: ''

It's strange that the clone URL in the UI is different for you. Mine are always like git@github.com. I can reach out to folks from the repos team to understand why yours are different.

[ericsciple]

@bauergeorg i learned the format org-<NUMBER>@github.com: is used when ssh certificate authentication is enabled

from the git docs, it doesn't look like insteadOf supports globs/regexes. However we might be able to construct the value from the info in the GitHub event payload.

Can you add the following step to one of your workflows and confirm whether .repository.owner.id. matches the org-<NUMBER>@github.com: value?

      - name: Dump gitub.event context
        env:
          GITHUB_CONTEXT: ${{ toJson(github.event) }}
        run: echo "$GITHUB_CONTEXT"

[bauergeorg]

Sorry for late answer:

can you confirm you are not providing the input ssh-key

Yes, of course I activated SSH certificate authentication. But it's not required.

Can you add the following step to one of your workflows and confirm whether .repository.owner.id. matches the org-@github.com: value?

Yes the number matches!

{
  "organization": {...},
  "ref": "refs/heads/main",
  "repository": {
    ...
    "owner": {
      ...
      "id": 79205061,
      "login": "rohmanngmbh",
      ...
    },
    ...
  },
  "sender": {
  ...
  },
  "workflow": ".github/workflows/main.yml"
}

[ericsciple]

draft pr here

i need to do some e2e testing

[bauergeorg]

@ericsciple thanks a lot!

[ericsciple]

just released v2.4.0, pushing the v2 tag forward now...

[cilasbeltrame]

hello @ericsciple for me still not working with the below config

[submodule "example1"]
	path = example1
	url = git@github.mydomain.com:my-org/example1.git

the only difference is that we have an additional name, its GH Enterprise, I have git app with token, so i'd like to use HTTPS, its trying to use ssh and we got access denied.

can you help with that?