Continuous Integration with submodules

I have a several projects that use a common project as a submodule.
The submodule is hosted on gitlab as well, but it is a different project under a different base name.

In each projects, the submodule is set using a git address and not a relative path.

CI builds constantly fail because they claim they don’t have the permissions to pull the submodule.

How can I pass credentials? since it’s the same user account, why are credentials needed?

1 Like

I have the same problem I think. With different base name do you mean:
gitlab.something.com vs gitlab.anything.com?
Did you find a solution in the end?
P.S. I have it working in within the same domain by using relative paths but not in between domains.

Hi,

the same domain will work since the job will be executed in the same scope as the user who pushed the branch for example, and if that user has permission for both projects, this will work seamlessly.

https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html

With the new behavior, any job that is triggered by the user, is also marked with their read permissions. When a user does a git push or changes files through the web UI, a new pipeline will be usually created. This pipeline will be marked as created by the pusher (local push or via the UI) and any job created in this pipeline will have the read permissions of the pusher but not write permissions.

This allows us to make it really easy to evaluate the access for all projects that have Git submodules or are using container images that the pusher would have access too. The permission is granted only for the time that the job is running. The access is revoked after the job is finished.

The problem with multiple domains is that they are different GitLab servers which do not trust each other nor share the user permissions etc.

If you are going this route, you’d still need access tokens.

Cheers,
Michael