Git clone fails when running CI on private fork

github

#1

I have an organization with a paid plan on GitHub. That organization has a repository which is private. Our developers use forks to make changes to the projects.

When a developer creates a PR back to the main repository, the clone command fails with:

Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.

ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

git command i returned 128: 

I tried adding a user key which didn’t help. I tried adding the forked repo to circleci which also didn’t help. After looking through the docs and the board I’m left with some frustration, and still not able to get it work.

I appreciate any help for resolving this issue.


#2

This should be pretty straight forward, is there nobody here that can point me at the solution?


#3

I have the same issue. Would anybody help?:sob:


#4

I found the solution. Maybe this will help you.
We need to set on the setting:

  • Advanced Settings->Pass secrets to builds from forked pull requests
  • Advanced Settings->Build forked pull requests

#5

This is a very frustrating problem.

First of all, the errors are completely misleading: “We couldn’t detect the settings for your project! Please make sure you have a configuration file in place, and check our doc about manual build setup in CircleCI 2.0.” It suggests that the repo was cloned and it doesn’t have a config, or maybe that the old circle.yml has already been deprecated and only the 2.0 config works now as the version number in the error message may suggest, but meanwhile Circle doesn’t even know if there is any config or not, because it couldn’t clone the repo in the first place.

So the error should be: “We couldn’t access the fork repository! Please make sure that the repository referenced in the pull request exists and you have permissions to access it.”

Now, it is very strange to me that Circle uses its own unprivileged SSH key to access the fork by default for forks of private projects, which are almost always private.

First of all, it should use the same key as for non-fork PRs, but not expose it to the tests! Why do I have to give secrets to the CODE inside of the pull request, just to CLONE the repo in the pull request? Circle should use the key to clone the repo and not pass that key to the tests.

Second of all, if that fails, there should be an option (or maybe tried automatically) to clone the repo as a user that is the owner of the fork, if that uses has authorized Circle to do that before (maybe a setting per repository).

Note that both of those should be able to just clone the repo and forget the key, never giving it to the code that is being run by default, unless passing secrets is turned on.

It may have some problems (like not being able to install private dependencies in some cases) but would be better than trying to use an unauthorized key to clone a private repo and tell us that there are no tests on no configuration.

Currently the only option to fix that, not obvious at all, is what was suggested above, i.e. to turn on passing secrets to pull requests which even Circle rightly warns against: “There are serious security concerns with this setting (see the documentation for details.) If you have SSH keys, sensitive env vars or AWS credentials stored in your project settings and untrusted forks can make pull requests against your repo, then this option isn’t for you!”


#6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.