Support git submodules

[marek-saji]

Why?

Fixes https://verkstedt.atlassian.net/browse/TIOSDEV-45

What?

• New action that calls create-github-app-token, but falls back to github.token and also yells at you if it’s misconfigured.

• Pass submodules: recursive when using checkout
  For public repos this will work fine, for private ones, you need to pass a token that can read your repo and submodule. That’s what new action is for.

TODO before the merge

• Remove commit that does @v1 → @feat/git-submodules

---

@coderabbitai ignore

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a composite action to generate a GitHub App token, threads that token into setup steps (switching setup to feat/git-submodules), and enables recursive checkout of git submodules across several workflows; also updates cache key suffixes and README guidance for submodules.

Changes

Cohort / File(s)	Summary
CI & Chromatic workflows .github/workflows/ci.yaml, .github/workflows/chromatic.yaml	Add GH_AUTH_APP_SECRET secret, add app-token step (create-github-app-token), switch verkstedt/actions/setup to feat/git-submodules, and pass token into setup steps.
Deploy / Build workflows .github/workflows/deploy-cloudfunction.yaml, .github/workflows/deploy-cloudrun.yaml, .github/workflows/docker-build-push.yaml, .github/workflows/create-release.yaml	Introduce GH_AUTH_APP_SECRET where applicable; add app-token step and use generated token in actions/checkout; enable submodules: recursive for private submodule checkouts.
New action — create GitHub App token create-github-app-token/action.yaml, create-github-app-token/README.md	Add composite action that conditionally generates a GitHub App token from app-id + private-key with fallback to github.token; include README and example usage.
Setup action updates setup/action.yaml	Enable submodules: recursive in checkout and update cache keys to include --v2 suffix.
Docs / README README.md	Add guidance and TIPs for using private git submodules and reference the new create-github-app-token action; minor formatting/content adjustments.

Sequence Diagram(s)

sequenceDiagram
    participant WF as GitHub Workflow
    participant TokenAction as create-github-app-token
    participant SetupAction as verkstedt/setup@feat/git-submodules
    participant Steps as Downstream Steps

    WF->>TokenAction: provide `app-id` + `private-key` (inputs)
    TokenAction->>TokenAction: validate inputs
    alt app-id + private-key present
        TokenAction->>TokenAction: call actions/create-github-app-token@v2.2.1
        TokenAction-->>WF: output token
    else missing
        TokenAction-->>WF: output github.token (fallback)
    end
    WF->>SetupAction: call setup with `token` input
    SetupAction->>SetupAction: checkout (submodules: recursive)
    SetupAction->>SetupAction: restore/save caches (v2 keys)
    SetupAction-->>Steps: environment ready (token available)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: create-release #25: Adjusts setup action to accept and propagate a GitHub App token — closely related to token threading.
• chore: Update third party actions #24: Modifies setup/action.yaml (checkout/cache behavior) — overlaps with cache and checkout changes.
• feat: add cloudfunction deployment workflow #28: Updates deploy workflows with GitHub App auth and checkout changes — directly related to workflow edits here.

Suggested reviewers

• erolci
• smelchior

Poem

🐰 I hopped through branches, found a secret key so bright,
Submodules now come home, no more checkout fright,
Tokens warm my paws, workflows hum and run,
Pipelines bloom like clover under morning sun,
Hooray — CI nibbles carrots, everything's alright!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	Most changes are in-scope (new create-github-app-token action, setup modifications, workflow updates for submodule support). However, the PR contains a notable TODO indicating commits with temporary feature branch references (@feat/git-submodules) that should be removed before merging.	Complete the TODO item by removing commits that reference @feat/git-submodules and replace with appropriate stable branch references before final merge.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Support git submodules' directly and clearly summarizes the main change—adding support for git submodules across the repository's GitHub Actions workflows.
Linked Issues check	✅ Passed	The PR addresses the linked issue TIOSDEV-45 by implementing git submodule support through a new GitHub App token action and updating checkout steps to use recursive submodules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description clearly relates to the changeset: it explains the purpose (fixing TIOSDEV-45), what was added (new GitHub App token action with fallback), and what was changed (recursive submodules support in checkout).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/git-submodules

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-cloudfunction.yaml:
- Around line 51-54: The workflow's "Checkout code" step uses
actions/checkout@v6.0.2 with submodules: recursive but does not pass a token, so
private submodules will fail; add the GitHub App token flow used in other
workflows by inserting a create-github-app-token step (as in
docker-build-push/ci) and then update the actions/checkout step to pass with:
token: ${{ steps.create-github-app-token.outputs.token }} so private submodules
can be fetched during the deploy-cloudfunction workflow.

In @.github/workflows/docker-build-push.yaml:
- Around line 185-196: The workflow uses secrets.GH_AUTH_APP_SECRET in the
GitHub App token step (outputs referenced by steps.app-token.outputs.token) but
the secret is not declared in the workflow_call.secrets block; update the
workflow_call.secrets section to include GH_AUTH_APP_SECRET so the action that
creates the GitHub App token and the subsequent actions/checkout step (with
submodules: recursive) receive the secret at runtime.

In `@README.md`:
- Around line 196-205: The comment flags a capitalization nit for "GitHub" in
the README section titled "How to use repositories with private git submodules?"
(anchor id "user-content-submodules"), but the text already correctly uses
"GitHub"; no code change is needed—dismiss the nit/close the review item and
leave the README.md content as-is (do not alter the "GitHub creates
`github.token`" phrasing).

---

Duplicate comments:
In @.github/workflows/chromatic.yaml:
- Around line 53-64: The review note is duplicated; remove the redundant
"[duplicate_comment]" marker and/or duplicate review text so the comment only
appears once, and keep the explanation that the "app-token" step correctly feeds
the "Setup" action's token input (leave the existing steps "app-token" and
"Setup" unchanged, including the flagged `@feat/git-submodules` refs which are
tracked as TODO).

In @.github/workflows/ci.yaml:
- Around line 43-70: Change the ephemeral branch refs for the actions to stable,
pinned versions: replace
verkstedt/actions/create-github-app-token@feat/git-submodules and
verkstedt/actions/setup@feat/git-submodules with a specific released tag or
commit SHA (e.g., `@v1` or @<commit-sha>) to avoid relying on feature branch
names; keep the step ids (app-token, setup) and output usages
(steps.app-token.outputs.token, steps.setup.outputs.scripts) unchanged so token
propagation continues to work.

In @.github/workflows/docker-build-push.yaml:
- Line 187: Update the GitHub Actions step that currently uses the mutable
branch ref "verkstedt/actions/create-github-app-token@feat/git-submodules" to
the pinned release tag "verkstedt/actions/create-github-app-token@v1" (replace
the `@feat/git-submodules` ref with `@v1`) to remove the mutable branch reference
and avoid supply-chain risk.