Git Auth and Submodules - labelling impossible?

Fact1: Git repos can be accessed with auth via ssh or anonymously/read only via the git protocol
Fact2: .gitmodules checked into the repo includes the URLs to the submodules (git clients treat this as a hint and can be redirected or auth changed per repo within git config - no such mechanism exists for teamcity)
Fact3: Although teamcity has push and pull urls for a VCS root it won't  let you mix protocols to use anon git for pull and authed ssh for push
These are correct, yes?

We are trying to use a git repo with submodules.  Some of these submodules use git URLs for convenience, others because they are 3rd party and *must always be accessed by anon git protocol*.  So basically this works as long as we also access the parent repo read only which means we can't push labels back.  If we connect via ssh it is possible to push labels but none of the read only submodules will pull because teamcity tries to use the auth credentials with the git protocol.  The submodules can't be changed to ssh because that would be hugely inconvenient for every developer to have to override them for every repo but also we don't have ssh access to some of the repos.

So why doesn't teamcity just respect the git urls on submodules since applying auth to them makes no sense?
Why can't you use git protocol for pull and ssh for push? (And if not what is the point of seperate urls?)
Why is there no local override mechanism, if neccesary something like a in the repo?

Is there any way to make labelling and read only submodules coexist without one of the above fixes to teamcity?  We would be greatful for any ideas.

Please sign in to leave a comment.