Just this morning, I had to get our CI workflow to clone a new submodule that resides on a private Bitbucket server.

Of course, this does not work out of the box, you will get:

Could not read from remote repository.

I already had an SSH key configured as a secret and used for checkout:

- uses: actions/checkout@v2
  with:
    ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
    submodules: true

So I added the public part of this key to the private Bitbucket server, thinking that this would solve my problem.

But I was not out of the woods:

No RSA host key is known for <redacted> and you have requested strict checking.
Host key verification failed.

Yep, I needed to edit the runner’s known_hosts file. Since I am a smart developer (meaning lazy 😂), I did not want to do it manually in bash and I thought: This must've been already solved by someone else. After like 2 minutes of searching I found a GitHub action that does exactly what I needed: https://github.com/marketplace/actions/install-ssh-key

I simply needed to add a new secret to my repo for the known_hosts entry (you need the whole line, not just the hostname) and the action to my workflow before the checkout step like this:

- name: Install SSH key
  uses: shimataro/ssh-key-action@v2
  with:
    key: ${{ secrets.SSH_PRIVATE_KEY }}
    known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}

- name: Checkout with submodules
  uses: actions/checkout@v2
  with:
    ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
    submodules: true

Note: You still need to keep specifying the ssh-key param in the checkout@v2 action so it uses SSH to clone (and not HTTPS).

🎉