iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🎭

How to Use SSH for Git Submodules While Using HTTPS for the Main Repository

に公開
Git
GitHub
SSH
submodule
tech

This article explains how to connect to specific submodules via SSH while normally using HTTPS for Git connections.

Background

When cloning with Git, there are two methods: HTTPS and SSH. Which one do you use?

I usually connect via HTTPS. Recently, GitHub introduced a new feature called "Fine-grained personal access tokens," which allows you to limit the repositories and functions that a Personal access token can access, making it more secure compared to SSH connections.

https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

On the other hand, as of this writing, many people still use SSH connections, so it is common to see submodule references set to SSH.

I will explain how to use HTTPS for your usual work while connecting only to specific repository submodules via SSH.

(I will use a submodule from my portfolio site's repository as an example.)

Generate Key

First, generate an SSH key for the specific repository. GitHub provides very clear documentation, so I will follow that for the setup.

(To be honest, I hadn't used the EdDSA algorithm before, but since the documentation recommended it, I'll give it a try.)

https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key

ssh-keygen -t ed25519 -C "github-bicstone-portfolio-submodule" -f "github-bicstone-portfolio-submodule"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in github-bicstone-portfolio-submodule.
Your public key has been saved in github-bicstone-portfolio-submodule.pub.
The key fingerprint is:
(Omitted)

I was surprised to see that the public key length is indeed shorter when using the EdDSA algorithm, as rumored.

Register Public Key

Register the generated public key to GitHub by referring to the following. Since we won't be pushing from the submodule in this case, uncheck "Allow write access."

https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent

Git Settings

Open the repository where you want to add the target repository as a submodule and execute the following command.

git -c is an option to execute a command while temporarily setting a configuration. Since we won't be using SSH for the parent repository, we set it to refer to a specific SSH key only when adding the submodule.

git -c core.sshCommand="ssh -i ~/.ssh/github-bicstone-portfolio-submodule" submodule add git@github.com:bicstone/portfolio-static.git static

Once it has been added successfully, enter the submodule directory.

cd static

Then, make the SSH key reference setting permanent within the submodule.

git config --local core.sshCommand "ssh -i ~/.ssh/github-bicstone-portfolio-submodule"

With this, you have achieved a setup where the main repository uses an HTTPS connection, while the submodule uses an SSH connection with a specific SSH key.

The same process applies when initializing the submodule after cloning the parent repository.

git -c core.sshCommand="ssh -i ~/.ssh/github-bicstone-portfolio-submodule" submodule update --init --recursive

cd static

git config --local core.sshCommand "ssh -i ~/.ssh/github-bicstone-portfolio-submodule"

Summary

While it's best to avoid using submodules if possible, they are quite useful after all. You should all migrate to Fine-grained personal access tokens as well.

It's important, so I'll post it one more time (spreading the word).

https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

Discussion