Skip to content

git submodule lfs pull does not follow GIT_SUBMODULE_FORCE_HTTPS context

Summary

When using GIT_SUBMODULE_FORCE_HTTPS, all git submodule clone operations are extended with a git url rewrite configuration context. It is working great. Yet, submodules recursive lfs pulls are not extended with this rewrite, and therefore are not working as intended.

Steps to reproduce

  • Have a project using a submodule with lfs references in it.
  • configure GIT_SUBMODULE_FORCE_HTTPS=true to inherit CI_JOB_TOKEN forwaring
  • configure GIT_SUBMODULE_STRATEGY=recursive
.gitlab-ci.yml 
variables:
  GIT_SUBMODULE_STRATEGY: recursive
  GIT_SUBMODULE_FORCE_HTTPS: "true"
build:
  script:
    - echo "Hi"

Actual behavior

Pipeline will fail to clone the repo, as it cannot retrieve lfs reference in the submodule.

Expected behavior

Pipeline will successfully clone and run.

Relevant logs and/or screenshots

job log 
HEAD is now at eac0ccb Somecomit
++ git -c url.https://gitlab-ci-token:[MASKED]@git.mycompanydev.net.insteadOf=https://git.mycompanydev.net -c url.https://gitlab-ci-token:[MASKED]@git.mycompanydev.net/.insteadOf=git@git.mycompanydev.net: -c url.https://gitlab-ci-token:[MASKED]@git.mycompanydev.net.insteadOf=ssh://git@git.mycompanydev.net submodule update --init --recursive --depth 20
++ git submodule foreach --recursive 'git clean -ffxd'
Entering 'cmake/Hunter/gate'
Entering 'src/MobileApps/EY2/EY2_resources'
Entering 'src/MobileApps/EY2/EY2_resources/trdDownloader/mobile-app-traductions-scripts'
Entering 'src/MobileApps/MobileAppResources'
Entering 'src/MobileApps/NVB/resources'
Entering 'src/MobileApps/NVB/resources/trdDownloader/mobile-app-traductions-scripts'
++ git lfs version
++ git submodule foreach --recursive 'git lfs pull'
Entering 'cmake/Hunter/gate'
Entering 'src/MobileApps/EY2/EY2_resources'
Entering 'src/MobileApps/EY2/EY2_resources/trdDownloader/mobile-app-traductions-scripts'
Entering 'src/MobileApps/MobileAppResources'
fatal: could not read Username for 'https://git.mycompanydev.net': No such device or address
batch response: Git credentials for https://git.mycompanydev.net/develsoft/mobileappsresources.git not found.
Failed to fetch some objects from 'https://git.mycompanydev.net/develsoft/mobileappsresources.git/info/lfs'
fatal: run_command returned non-zero status for src/MobileApps/MobileAppResources

Environment description

I use a self hosted gitlab 15.11/ runner 15.11 (docker and ssh executor)

config.toml contents 
concurrent = 4
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  output_limit = 30720 # 30Mo logs limit
  name = "docker-metal-ns3198026"
  url = "https://git.mycompanydev.net"
  executor = "docker"
  builds_dir = "/var/data/gitlab-runner/builds"
  environment = ["DOCKER_DRIVER=aufs"]

  pre_clone_script = " set -x;"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = false
    image = "node:8"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/data/gitlab-runner/builds:/var/data/gitlab-runner/builds", "/var/run/docker.sock:/var/run/docker.sock"]
    shm_size = 838860800

Used GitLab Runner version

Running with gitlab-runner 15.11.0 (436955cb)
Preparing the "docker" executor

Possible fixes

Here https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/shells/abstract.go#L537


	// Update / initialize submodules
	updateArgs := append(build.GetURLInsteadOfArgs(), "submodule", "update", "--init")
// >> here GetURLInsteadOfArgs is forwarded to submodule update:  GREAT

	foreachArgs := []string{"submodule", "foreach"}
	if recursive {
		updateArgs = append(updateArgs, "--recursive")
		foreachArgs = append(foreachArgs, "--recursive")
	}
	if depth > 0 {
		updateArgs = append(updateArgs, "--depth", strconv.Itoa(depth))
	}
	updateArgs = append(updateArgs, build.GetGitSubmoduleUpdateFlags()...)
	updateArgs = append(updateArgs, pathArgs...)

	// Clean changed files in submodules
	cleanFlags := []string{"-ffdx"}
	if len(build.GetGitCleanFlags()) > 0 {
		cleanFlags = build.GetGitCleanFlags()
	}
	cleanCommand := []string{"git clean " + strings.Join(cleanFlags, " ")}

	w.Command("git", append(foreachArgs, cleanCommand...)...)
	w.Command("git", append(foreachArgs, "git reset --hard")...)
	w.Command("git", updateArgs...)
	w.Command("git", append(foreachArgs, cleanCommand...)...)

	if !build.IsLFSSmudgeDisabled() {
		w.IfCmd("git", "lfs", "version")

		w.Command("git", append(foreachArgs, "git lfs pull")...)
// << here GetURLInsteadOfArgs is NOT forwarded to submodule lfs pull : BAD

		w.EndIf()
	}