Git submodules cannot be checked-out / updated with CI token
This re-hashes what is at https://github.com/gitlabhq/gitlab-ci/issues/332.
Currently, it is very difficult to setup GitLab CI for a project that uses git submodules which cannot be cloned publicly.
There are two problems that prevent this from working automatically:
If you stick with SSH, you'll need to
$ ssh-keyscan -H $GITLAB_URL >> ~gitlab_ci_runner/.ssh/known_hosts otherwise your runner machine won't like the gitlab host key. (See 413.) Even after doing that however, (for a private repo), you won't have permission to clone. You can add the runner's public key to the project as a deploy key, but that feels like a hack to me, considering the effort was made to add the gitlab-ci-token in the first place.
The better solution, in my opinion, would be to use
git submodule init, followed by a
git submodule foreach --recursive, which performs the same
git remote set-url as the existing generated scripts. That however, leads us to the second problem:
2) Gitlab will not allow you to use a (per-project)
gitlab-ci-token to clone a different project. So our solution in 1) would not work. I'm not entirely sure how this actually works (GitLab allowing a gitlab-ci-token to be used to clone a project under CI), so I don't know what to suggest as a solution.
Links / References
- Issue for underlying permission challenge: https://gitlab.com/gitlab-org/gitlab-ce/issues/18994