workspace-shared Submodule in CI
Overview
Most repositories include libs/workspace-shared as a git submodule. This is a private repository, so GitHub Actions workflows need a Personal Access Token (PAT) to check it out.
GitHub Actions Checkout Pattern
ALWAYS use this pattern when checking out a repo that has the workspace-shared submodule:
- uses: actions/checkout@v4
with:
token: ${{ secrets.SUBMODULE_PAT }}
submodules: recursiveRules
- NEVER use
GITHUB_TOKENfor submodule checkout — it cannot access private repos outside the current repository - ALWAYS use
SUBMODULE_PAT— a PAT withreposcope stored as a repository secret - ALWAYS use
submodules: recursive— not justtrue - ALWAYS use HTTPS URLs in
.gitmodules— SSH URLs (git@github.com:...) do not work in CI without extra key setup
Secret Setup
Each repository that uses workspace-shared in CI needs the SUBMODULE_PAT secret:
gh secret set SUBMODULE_PAT --repo craigedmunds/<repo-name>The PAT needs repo scope to access private repositories.
Repos that need SUBMODULE_PAT
| Repo | Has Secret | Status |
|---|---|---|
| k8s-lab | Yes | Working |
| argocd-eda | Yes | Working |
| ai-dev | Needs setup | Workflows updated but secret not yet added |
| domain-apis | No CI submodule use | Also uses SSH URL in .gitmodules (should be fixed) |
| market-making | No CI submodule use | N/A |
.gitmodules URL Format
Submodule URLs must use HTTPS format:
[submodule "libs/workspace-shared"]
path = libs/workspace-shared
url = https://github.com/craigedmunds/workspace-shared.git
Not SSH format (git@github.com:...).