Checkout git submodule in Azure Pipeline with SSH

问题

I try to checkout the git submodules via ssh instead of https (default if you use "Checkout submodules") in an Azure DevOps Pipeline. With the option in the picture it works - but for the developers it's annoying to enter the password all the time if they are working with the repository.

For that I used the following instructions to add the ssh key. I created a public and a private key, and copied the known_host entry.

That's my YAML file snippet:

stages:
- stage: DeployBackend
jobs:
  - job: SSH
    steps:
      - task: InstallSSHKey@0
        inputs:
          knownHostsEntry: $(known_host)
          sshPublicKey: $(public_key)
          sshKeySecureFile: 'private_key_file'
  - job: Deploy
    steps:
      - checkout: self
        submodules: true
      - script: |
          -- here I run all docker commands to build the container and push it to Azure --
        displayName: "Deploy"

If I use the SSH keys to clone the repository to my local computer I have no issues. But if I run the pipeline it will crash at the submodule checkout:

Please make sure you have the correct access rights and the repository exists. fatal: clone of 'git@ssh.dev.azure.com:v3/repoLink' into submodule path '/home/vsts/work/1/s/app/submoduleFolder' failed Failed to clone 'app/submoduleFolder'. Retry scheduled Cloning into '/home/vsts/work/1/s/app/submoduleFolder'... Host key verification failed. fatal: Could not read from remote repository.

That's the .gitmodules file in the repo - it works without any issues locally:

[submodule "app/subModuleName"]
    path = app/subModuleName
    url = git@ssh.dev.azure.com:v3/***/subModuleName
    branch = master

I even wrote the id_rsa, known_hosts and id_rsa.pub files into .ssh with a script, but it seems like they are not even used for ssh verification.

回答1:

The solution is to do all the tasks in one job. Variables are not shared between different job instances.

This works:

jobs:
    - job: jobName
      steps:
        - task: AzureKeyVault@1
          inputs:
            azureSubscription: '***'
            KeyVaultName: '***'
          displayName: "Read Secrets from KeyVault"
        - task: InstallSSHKey@0
          inputs:
            knownHostsEntry: $(known_host)
            sshPublicKey: $(public_key)
            sshKeySecureFile: 'private_key_file'
          displayName: "Create SSH files"
        - script: |
            git clone --recurse-submodules git@ssh.dev.azure.com:v3/****
            git submodule update --init --recursive
            docker login -u $(userName) -p $(password) ***
            docker build ****
            docker push ****
          displayName: "Build and Push Docker Container"

来源：https://stackoverflow.com/questions/58862131/checkout-git-submodule-in-azure-pipeline-with-ssh