Using SSH to access private submodule in CI/CD

Issue

Let’s say you have a repository which has a private repository (submodule) inside it (dependency). You want to access this private repository in your CI/CD pipeline, but how?

Let’s dive into the solution.

Solution

In our case we have a public repository (parent) which has a private repository (submodule) inside it. The goal is to access the private repository in our CI/CD pipeline. We will use GitHub Actions as our CI/CD pipeline.

1. Generate SSH Key: Generate a new ed25519 SSH key pair without a passphrase. This key will be used to access the private repository. What ssh-agent doesn’t mention, is that the key must be generated with the -C option, which is used to add a comment to the key. This comment should be the URL of the private repository you want to access. So in short, it should point to the private repository you want to access.

2. Add Private Key to Parent Repository: Add the private key as a Secret to the parent repository. This will allow the CI/CD pipeline to access the private key. Let’s name it SSH_PRIVATE_KEY.

3. Add Public Key to Submodule: Add the public key to the Deploy Keys of the private repository (submodule). This will allow the CI/CD pipeline to access the private repository using the private key. Name it Deploy Key.

4. Configure CI/CD Pipeline: In the deploy.yml, add the usage of ssh-agent to load the private key and then checkout the repository with the submodule using SSH.

   In my case, it’s:

   jobs:
     build:
       runs-on: ubuntu-22.04
       steps:
         # start ssh-agent & load the key
         - name: Load SSH key
           uses: webfactory/ssh-agent@v0.9.1
           with:
             ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
    
         - name: Checkout source and submodules
           uses: actions/checkout@v4
           with:
             fetch-depth: 0
             submodules: recursive # here we load the submodule
         # ...