Use CI_JOB_TOKEN instead of SSH for 3p cloning

templates/Build.gitlab-ci.yml

@@ -30,6 +30,12 @@ variables:
 .build:
   stage: build
   script:
+    # Use gitlab ci job token
+    - |
+      SOURCE_REPO=${SOURCE_REPO#git@}
+      SOURCE_REPO=${SOURCE_REPO//://}
+      export SOURCE_REPO=https://gitlab-ci-token:${CI_JOB_TOKEN}@${SOURCE_REPO}
+
     # Build images
     - |
       werf build \

templates/Setup.gitlab-ci.yml

@@ -5,8 +5,6 @@
 #   $DEV_MODULES_REGISTRY - dev registry path
 #   $DEV_MODULES_REGISTRY_LOGIN - login to dev registry
 #   $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry
-#   $SOURCE_REPO - Source repository address for the module
-#   $SOURCE_REPO_SSH_KEY - SSH private key for the source repository
 #   $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry
 #   $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry
 #   $DEV_MODULES_REGISTRY_PASSWORD - password to dev registry
@@ -79,47 +77,32 @@ before_script:
 
   # Add ssh keys
   - |
-    if [[ -n "${SOURCE_REPO_SSH_KEY_B64}" ]]; then
-      SOURCE_REPO_SSH_KEY=$(echo "${SOURCE_REPO_SSH_KEY_B64}" | base64 -d)
+    if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then
+      SVACE_ANALYZE_SSH_PRIVATE_KEY=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d)
     fi
-    if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then
 
+    if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then
       eval $(ssh-agent)
       trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM
       export SSH_KNOWN_HOSTS=~/.ssh/known_hosts
       mkdir -p ~/.ssh
       touch ~/.ssh/known_hosts
 
-      if [[ -n "${SOURCE_REPO_SSH_KEY}" ]]; then
-        ssh-add - <<< "${SOURCE_REPO_SSH_KEY}"
-        if [[ -n "${SOURCE_REPO}" ]]; then
-          HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${SOURCE_REPO})
-          HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
-          while IFS= read -r KEY_LINE; do
-            CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
-            if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
-              echo "$KEY_LINE" >> ~/.ssh/known_hosts
-            fi
-          done <<< "$HOST_KEYS"
-        fi
+      echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | ssh-add -
+      if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then
+        echo "Adding svace ssh key (ignoring errors)."
+        set +e
+        HOST=${SVACE_ANALYZE_HOST}
+        HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
+        while IFS= read -r KEY_LINE; do
+          CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
+          if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
+            echo "$KEY_LINE" >> ~/.ssh/known_hosts
+          fi
+        done <<< "$HOST_KEYS"
+        set -e
       fi
 
-      if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then
-        echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add -
-        if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then
-          echo "Adding svace ssh key (ignoring errors)."
-          set +e
-          HOST=${SVACE_ANALYZE_HOST}
-          HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
-          while IFS= read -r KEY_LINE; do
-            CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
-            if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
-              echo "$KEY_LINE" >> ~/.ssh/known_hosts
-            fi
-          done <<< "$HOST_KEYS"
-          set -e
-        fi
-      fi
     fi
 
 stages:

templates/Svace_Analayze.gitlab-ci.yml

@@ -38,7 +38,11 @@
           echo "Using new ssh auth sock: ${SSH_AUTH_SOCK}"
       fi
 
-      echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add -
+      if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then
+        SVACE_ANALYZE_SSH_PRIVATE_KEY=$(echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d)
+      fi
+
+      echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" | ssh-add -
 
     # Add Svace analyze host to known_hosts
     - |