add support for cloning Git repository via SSH rather than HTTPS

README.md

@@ -443,6 +443,15 @@ variables) that are allowed to be specified in a PR command with the
 be exported into the build environment before running the bot/build.sh script.
 
 
+```
+clone_git_repo_via = https
+```
+
+The `clone_git_repo_via` setting specifies via which mechanism the Git repository
+should be cloned. This can be either:
+* `https` (default): clone repository via HTTPS with `git clone https://github.com/<owner>/<repo>`
+* `ssh`: clone repository via SSH with `git clone git@github.com:<owner>/<repo>.git`
+
 #### `[bot_control]` section
 
 The `[bot_control]` section contains settings for configuring the feature to

app.cfg.example

@@ -136,6 +136,10 @@ allow_update_submit_opts = false
 # exported into the build environment via `exportvariable` filters
 allowed_exportvars = ["NAME1=value_1a", "NAME1=value_1b", "NAME2=value_2"]
 
+# mechanisn to use to clone Git repository
+# 'https' to clone via HTTPS (git clone https://github.com/<owner>/<repo>)
+# 'ssh' to clone via SSH (git clone git@github.com:<owner>/<repo>.git)
+clone_git_repo_via = https
 
 [deploycfg]
 # script for uploading built software packages

eessi_bot_event_handler.py

@@ -52,6 +52,7 @@
         config.BUILDENV_SETTING_BUILD_JOB_SCRIPT,                  # required
         config.BUILDENV_SETTING_BUILD_LOGS_DIR,                    # optional+recommended
         config.BUILDENV_SETTING_BUILD_PERMISSION,                  # optional+recommended
+        # config.BUILDENV_SETTING_CLONE_GIT_REPO_VIA,                # optional
         config.BUILDENV_SETTING_CONTAINER_CACHEDIR,                # optional+recommended
         # config.BUILDENV_SETTING_CVMFS_CUSTOMIZATIONS,              # optional
         # config.BUILDENV_SETTING_HTTPS_PROXY,                       # optional

tasks/build.py

@@ -43,7 +43,8 @@
 _ERROR_CURL = "curl"
 _ERROR_GIT_APPLY = "git apply"
 _ERROR_GIT_CHECKOUT = "git checkout"
-_ERROR_GIT_CLONE = "curl"
+_ERROR_GIT_CLONE = "git clone"
+_ERROR_GIT_DIFF = "git diff"
 _ERROR_NONE = "none"
 
 # other constants
@@ -147,6 +148,10 @@ def get_build_env_cfg(cfg):
     log(f"{fn}(): load_modules '{load_modules}'")
     config_data[config.BUILDENV_SETTING_LOAD_MODULES] = load_modules
 
+    clone_git_repo_via = buildenv.get(config.BUILDENV_SETTING_CLONE_GIT_REPO_VIA, None)
+    log(f"{fn}(): clone_git_repo_via '{clone_git_repo_via}'")
+    config_data[config.BUILDENV_SETTING_CLONE_GIT_REPO_VIA] = clone_git_repo_via
+
     return config_data
 
 
@@ -355,7 +360,7 @@ def clone_git_repo(repo, path):
     return (clone_output, clone_error, clone_exit_code)
 
 
-def download_pr(repo_name, branch_name, pr, arch_job_dir):
+def download_pr(repo_name, branch_name, pr, arch_job_dir, clone_via=None):
     """
     Download pull request to job working directory
 
@@ -364,6 +369,7 @@ def download_pr(repo_name, branch_name, pr, arch_job_dir):
         branch_name (string): name of the base branch of the pull request
         pr (github.PullRequest.PullRequest): instance representing the pull request
         arch_job_dir (string): working directory of the job to be submitted
+        clone_via (string): mechanism to clone Git repository, should be 'https' (default) or 'ssh'
 
     Returns:
         None (implicitly), in case an error is caught in the git clone, git checkout, curl,
@@ -376,7 +382,19 @@ def download_pr(repo_name, branch_name, pr, arch_job_dir):
     # - 'git checkout' base branch of pull request
     # - 'curl' diff for pull request
     # - 'git apply' diff file
-    clone_output, clone_error, clone_exit_code = clone_git_repo(f'https://github.com/{repo_name}', arch_job_dir)
+    log(f"Cloning Git repo via: {clone_via}")
+    if clone_via in (None, 'https'):
+        repo_url = f'https://github.com/{repo_name}'
+    elif clone_via == 'ssh':
+        repo_url = f'git@github.com:{repo_name}.git'
+    else:
+        clone_output = ''
+        clone_error = f"Unknown mechanism to clone Git repo: {clone_via}"
+        clone_exit_code = 1
+        error_stage = _ERROR_GIT_CLONE
+        return clone_output, clone_error, clone_exit_code, error_stage
+
+    clone_output, clone_error, clone_exit_code = clone_git_repo(repo_url, arch_job_dir)
     if clone_exit_code != 0:
         error_stage = _ERROR_GIT_CLONE
         return clone_output, clone_error, clone_exit_code, error_stage
@@ -393,19 +411,16 @@ def download_pr(repo_name, branch_name, pr, arch_job_dir):
         error_stage = _ERROR_GIT_CHECKOUT
         return checkout_output, checkout_err, checkout_exit_code, error_stage
 
-    curl_cmd = ' '.join([
-        'curl -L',
-        '-H "Accept: application/vnd.github.diff"',
-        '-H "X-GitHub-Api-Version: 2022-11-28"',
-        f'https://api.github.com/repos/{repo_name}/pulls/{pr.number} > {pr.number}.diff',
+    git_diff_cmd = ' && '.join([
+        f"git fetch origin pull/{pr.number}/head:pr{pr.number}",
+        f"git diff HEAD pr{pr.number} > {pr.number}.diff",
     ])
-    log(f'curl with command {curl_cmd}')
-    curl_output, curl_error, curl_exit_code = run_cmd(
-        curl_cmd, "Obtain patch", arch_job_dir, raise_on_error=False
+    git_diff_output, git_diff_error, git_diff_exit_code = run_cmd(
+        git_diff_cmd, "Obtain patch", arch_job_dir, raise_on_error=False
         )
-    if curl_exit_code != 0:
-        error_stage = _ERROR_CURL
-        return curl_output, curl_error, curl_exit_code, error_stage
+    if git_diff_exit_code != 0:
+        error_stage = _ERROR_GIT_DIFF
+        return git_diff_output, git_diff_error, git_diff_exit_code, error_stage
 
     git_apply_cmd = f'git apply {pr.number}.diff'
     log(f'git apply with command {git_apply_cmd}')
@@ -457,6 +472,8 @@ def comment_download_pr(base_repo_name, pr, download_pr_exit_code, download_pr_e
             download_comment = (f"```{download_pr_error}```\n"
                                 f"{download_pr_comments_cfg[config.DOWNLOAD_PR_COMMENTS_SETTING_GIT_APPLY_FAILURE]}"
                                 f"\n{download_pr_comments_cfg[config.DOWNLOAD_PR_COMMENTS_SETTING_GIT_APPLY_TIP]}")
+        else:
+            download_comment = f"```{download_pr_error}```"
 
         download_comment = pr_comments.create_comment(
             repo_name=base_repo_name, pr_number=pr.number, comment=download_comment
@@ -615,8 +632,9 @@ def prepare_jobs(pr, cfg, event_info, action_filter):
             log(f"{fn}(): job_dir '{job_dir}'")
 
             # TODO optimisation? download once, copy and cleanup initial copy?
+            clone_git_repo_via = build_env_cfg.get(config.BUILDENV_SETTING_CLONE_GIT_REPO_VIA)
             download_pr_output, download_pr_error, download_pr_exit_code, error_stage = download_pr(
-                base_repo_name, base_branch_name, pr, job_dir
+                base_repo_name, base_branch_name, pr, job_dir, clone_via=clone_git_repo_via,
                 )
             comment_download_pr(base_repo_name, pr, download_pr_exit_code, download_pr_error, error_stage)
             # prepare job configuration file 'job.cfg' in directory <job_dir>/cfg

tools/config.py

@@ -42,6 +42,7 @@
 BUILDENV_SETTING_BUILD_JOB_SCRIPT = 'build_job_script'
 BUILDENV_SETTING_BUILD_LOGS_DIR = 'build_logs_dir'
 BUILDENV_SETTING_BUILD_PERMISSION = 'build_permission'
+BUILDENV_SETTING_CLONE_GIT_REPO_VIA = 'clone_git_repo_via'
 BUILDENV_SETTING_CONTAINER_CACHEDIR = 'container_cachedir'
 BUILDENV_SETTING_CVMFS_CUSTOMIZATIONS = 'cvmfs_customizations'
 BUILDENV_SETTING_HTTPS_PROXY = 'https_proxy'