CI pipelines built on Distributed Cloud Container Platform for Kubernetes (ACK One) workflow clusters use BuildKit Cache and File Storage NAS to store the Go module cache, which accelerates pipeline runs. To build a CI pipeline for a Golang project that uses a private Git repository, clone the private repository as part of the pipeline setup.
Three methods are available for cloning a private Git repository in a CI pipeline.
Prerequisites
Before you begin, ensure that you have:
An ACK One workflow cluster with an Argo Workflows CI pipeline set up for a Golang project. For setup instructions, see Create CI pipelines for Golang projects in workflow clusters
Access credentials for your private Git repository: a username and password (or personal access token), or an SSH private key
Choose a method
| Method | Authentication | When to use |
|---|---|---|
| Method 1: Argo Workflows Git artifacts with username and password | Username + password or personal access token | HTTPS repositories; credentials already managed as tokens |
| Method 2: Argo Workflows Git artifacts with an SSH private key | SSH private key | SSH-format repository URLs; key-based authentication preferred |
| Method 3: git clone with username and password | Username + password or personal access token via environment variables | Simpler setup without a DAG task; single-task workflows |
All three methods require a Kubernetes Secret named git-creds to store your repository credentials. Create this Secret first, then apply the workflow template for your chosen method.
Store credentials in the workflow cluster
Run the following command to create a Secret named git-creds in your workflow cluster. The Secret stores your repository username, password (or personal access token), and SSH private key.
Replace the placeholders with your actual values:
| Placeholder | Description | Example |
|---|---|---|
${username} | Your Git repository username | demo |
${password or token} | Your password or personal access token. GitHub and other providers have deprecated basic password authentication — use a personal access token. | ghp_GePB****************d407 |
${ssh private key path} | Local path to your SSH private key file | $HOME/.ssh/id_rsa |
kubectl create secret generic git-creds \
--from-literal="username=${username}" \
--from-literal="password=${password or token}" \
--from-file=ssh-private-key=${ssh private key path}
# Example:
# kubectl create secret generic git-creds \
# --from-literal="username=demo" \
# --from-literal="password=ghp_GePB****************d407" \
# --from-file=ssh-private-key=$HOME/.ssh/id_rsaIf you use SSH authentication (Method 2), generate an SSH key pair and add the public key to your Git repository before running this command. See your Git provider's documentation: GitHub | GitLab.
Method 1: Argo Workflows Git artifacts with username and password
This method uses Argo Workflows Git artifacts to clone the repository. The workflow template adds a git-clone task that references the username and password fields from the git-creds Secret, and configures it as a dependency of the existing git-checkout-pr task.
All three methods retain only the git-checkout-pr task from the predefined workflow template. The shell script in the command parameter of git-checkout-pr does not require modification.
Apply the workflow template
Apply the following ClusterWorkflowTemplate to your workflow cluster:
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: ci-git-artifact
spec:
entrypoint: main
volumes:
- name: run-test
emptyDir: {}
- name: workdir
persistentVolumeClaim:
claimName: pvc-nas
- name: docker-config
secret:
secretName: docker-config
arguments:
parameters:
- name: repo_url
value: ""
- name: repo_name
value: ""
- name: target_branch
value: "main"
templates:
- name: main
dag:
tasks:
- name: git-clone
arguments:
artifacts:
- name: git-repo
path: /workdir
git:
repo: "{{arguments.parameters.repo_url}}"
revision: main
usernameSecret:
name: git-creds
key: username
passwordSecret:
name: git-creds
key: password
sshPrivateKeySecret:
name: git-creds
key: ssh-private-key
inline:
container:
image: golang:1.10
command:
- sh
- -c
- |
cd {{workflow.parameters.repo_name}}
git status && ls
workingDir: /workdir
volumeMounts:
- name: "workdir"
mountPath: /workdir
- name: git-checkout-pr
inline:
container:
image: alpine:latest
command:
- sh
- -c
- |
set -eu
apk --update add git
cd /workdir
echo "Start to Clone "{{workflow.parameters.repo_url}}
git -C "{{workflow.parameters.repo_name}}" pull || git clone {{workflow.parameters.repo_url}}
cd {{workflow.parameters.repo_name}}
echo "Start to Checkout target branch" {{workflow.parameters.target_branch}}
git checkout {{workflow.parameters.target_branch}}
echo "Get commit id"
git rev-parse --short origin/{{workflow.parameters.target_branch}} > /workdir/{{workflow.parameters.repo_name}}-commitid.txt
commitId=$(cat /workdir/{{workflow.parameters.repo_name}}-commitid.txt)
echo "Commit id is got: "$commitId
echo "Git Clone and Checkout Complete."
volumeMounts:
- name: "workdir"
mountPath: /workdir
resources:
requests:
memory: 1Gi
cpu: 1
activeDeadlineSeconds: 1200
depends: git-cloneSubmit the workflow
Set the workflow parameters to match your CI pipeline configuration, then submit the workflow. The following figure shows an example.
Method 2: Argo Workflows Git artifacts with an SSH private key
This method is similar to Method 1, with two differences:
The
git-clonetask references only thessh-private-keyfield from thegit-credsSecret.The
repo_urlparameter must be in SSH format. Example:git@github.com:ivan-cai/gitops-demo-private.git.
Apply the workflow template
Apply the following ClusterWorkflowTemplate to your workflow cluster:
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: ci-git-artifact-sshkey
spec:
entrypoint: main
volumes:
- name: run-test
emptyDir: {}
- name: workdir
persistentVolumeClaim:
claimName: pvc-nas
- name: docker-config
secret:
secretName: docker-config
arguments:
parameters:
- name: repo_url
value: ""
- name: repo_name
value: ""
- name: target_branch
value: "main"
templates:
- name: main
dag:
tasks:
- name: git-clone
arguments:
artifacts:
- name: git-repo
path: /workdir
git:
repo: "{{arguments.parameters.repo_url}}"
revision: main
sshPrivateKeySecret:
name: git-creds
key: ssh-private-key
inline:
container:
image: golang:1.10
command:
- sh
- -c
- |
cd {{workflow.parameters.repo_name}}
git status && ls
workingDir: /workdir
volumeMounts:
- name: "workdir"
mountPath: /workdir
- name: git-checkout-pr
inline:
container:
image: alpine:latest
command:
- sh
- -c
- |
set -eu
apk --update add git
cd /workdir
echo "Start to Clone "{{workflow.parameters.repo_url}}
git -C "{{workflow.parameters.repo_name}}" pull || git clone {{workflow.parameters.repo_url}}
cd {{workflow.parameters.repo_name}}
echo "Start to Checkout target branch" {{workflow.parameters.target_branch}}
git checkout {{workflow.parameters.target_branch}}
echo "Get commit id"
git rev-parse --short origin/{{workflow.parameters.target_branch}} > /workdir/{{workflow.parameters.repo_name}}-commitid.txt
commitId=$(cat /workdir/{{workflow.parameters.repo_name}}-commitid.txt)
echo "Commit id is got: "$commitId
echo "Git Clone and Checkout Complete."
volumeMounts:
- name: "workdir"
mountPath: /workdir
resources:
requests:
memory: 1Gi
cpu: 1
activeDeadlineSeconds: 1200
depends: git-cloneSubmit the workflow
Setrepo_urlin SSH format. Example:git@github.com:ivan-cai/gitops-demo-private.git.
Method 3: git clone with username and password
This method does not require a directed acyclic graph (DAG) task. Instead of adding a separate git-clone task, it modifies the git clone command in the existing git-checkout-pr task to embed credentials from environment variables:
git clone https://${GIT_USER}:${GIT_TOKEN}@github.com/${GITHUB_REPOSITORY}The task reads credentials from the git-creds Secret using two environment variables:
| Environment variable | Secret field |
|---|---|
GIT_USER | username |
GIT_TOKEN | password |
Apply the workflow template
Apply the following ClusterWorkflowTemplate to your workflow cluster:
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: ci-git
spec:
entrypoint: main
volumes:
- name: run-test
emptyDir: {}
- name: workdir
persistentVolumeClaim:
claimName: pvc-nas
- name: docker-config
secret:
secretName: docker-config
arguments:
parameters:
- name: repo_url
value: ""
- name: repo_name
value: ""
- name: target_branch
value: "main"
templates:
- name: main
dag:
tasks:
- name: git-checkout-pr
inline:
container:
image: alpine:latest
env:
- name: GIT_USER
valueFrom:
secretKeyRef:
name: git-creds
key: username
- name: GIT_TOKEN
valueFrom:
secretKeyRef:
name: git-creds
key: password
command:
- sh
- -c
- |
set -eu
apk --update add git
cd /workdir
echo "Start to Clone "{{workflow.parameters.repo_url}}
git -C "{{workflow.parameters.repo_name}}" pull || git clone https://$GIT_USER:$GIT_TOKEN@{{workflow.parameters.repo_url}}
cd {{workflow.parameters.repo_name}}
echo "Start to Checkout target branch" {{workflow.parameters.target_branch}}
git checkout {{workflow.parameters.target_branch}}
echo "Get commit id"
git rev-parse --short origin/{{workflow.parameters.target_branch}} > /workdir/{{workflow.parameters.repo_name}}-commitid.txt
commitId=$(cat /workdir/{{workflow.parameters.repo_name}}-commitid.txt)
echo "Commit id is got: "$commitId
echo "Git Clone and Checkout Complete."
volumeMounts:
- name: "workdir"
mountPath: /workdir
resources:
requests:
memory: 1Gi
cpu: 1
activeDeadlineSeconds: 1200Submit the workflow
Provide the raw repository URL forrepo_url. Do not includehttps://as a prefix — the clone command in the template prepends it automatically.
