Deploying with a private git submodule


Hey everyone, does anyone have experience deploying with a private git submodule?

The RUN git submodule update command fails because aptible can’t access the github repo


My recommendation: personal access tokens, and HTTPS URLs for the submodules:

(the guide is for Gemfile/package.json but the same approach applies for submodules)

If you don’t want to include the PAT in your codebase, you can load an SSH private key into your app via ENV

I know some customers do this, and it’d be something like this in your Dockerfile:

RUN set -a && . .aptible.env && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa


Thanks, I’ll give the id_rsa solution a shot


For anyone who searches this in the future: I had to add a few Dockerfile lines to get private submodules working:

RUN mkdir -p /root/.ssh
RUN set -a && . /opt/MYAPP/.aptible.env && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN ssh-keyscan >> /root/.ssh/known_hosts
RUN git submodule init && git submodule update


Is there a good strategy to set a private key in the environment using `config:set? In my attempts the value appears to be being escaped which breaks the key.


@rvause Enclave does not perform any escaping of the key you provide when served to your application (but it is escaped when it’s displayed back to you if you use aptible config --app ...). However, it’s fairly common to get this wrong either when setting the variable or writing it to a file in your app.

I recommend the following approach to avoid both issues:

  • Use this to read the key from a file and feed it to config:set:
aptible config:set --app "$APP_HANDLE" SSH_PRIVATE_KEY=$(cat ~/.ssh/id_rsa)"

(adjust ~/.ssh/id_rsa with the path to your key if it’s somewhere else!)

  • Use printf to write the key to a file properly (using echo might work but it often does not). The easiest way to do so is to add this in a script and call it.
mkdir "${HOME}/.ssh"

touch "$SSH_KEY_FILE"
chmod 600 "$SSH_KEY_FILE"
printf "%s" "$SSH_PRIVATE_KEY" > "$SSH_KEY_FILE"


Thanks for the detailed answer.

It looks like the problem I was having was specifically to do with running the config:set command with fish. Switching to bash and running aptible config:set --app handle SSH_KEY="``cat path/to/key``" (one backtick, having some formatting funkiness whilst posting) solved my immediate issue. At that point using echo appears to do the job.


Happy to hear this solved it! :slight_smile: