Explicitly do not recurse submodules on fetch
Summary
When gitlab-runner is calling git fetch
it may recurse into submodules if the git configuration submodule.recurse
is set to true. This will occur before git submodule sync
has been called, causing the origin URLs to be incorrect since the CI_TOKEN has not yet been updated.
Steps to reproduce
- Create a private repo in gitlab, that has a private submodule in the same gitlab.
- Add a step to your build that runs
git config submodule.recurse true
- Run your pipeline.
- Wait for the token to expire.
- Run your pipeline again. You will get a
remote: HTTP Basic: Access denied
since the token is old.
Actual behavior
The initial git fetch
will fail on attempting to fetch the submodules.
Expected behavior
git fetch
should not attempt to recurse into submodules.
Environment description
This is on a custom runner. Using the "shell" executor.
Used GitLab Runner version
13.10.0 linux/amd64
Possible fixes
I would suggest adding fetchArgs = append(fetchArgs, "--no-recurse-submodules")
to here https://gitlab.com/gitlab-org/gitlab-runner/-/blob/master/shells/abstract.go#L362. I believe this would also allow us to delete the fetch config for recurse submodules https://gitlab.com/gitlab-org/gitlab-runner/-/blob/master/shells/abstract.go#L362.
Current workaround
Currently, to workaround this I have added the following to my .gitlab-ci.yml.
variables:
# Needed to prevent gitlab-runner from trying to fetch submodules before
# there origins have been updated with git submodule sync
GIT_FETCH_EXTRA_FLAGS: "--no-recurse-submodules"