While the deploy repo is currently fetched from the deploy host on targets, submodules remain unmodified and will end up fetching from upstream. This is less than ideal for a couple of reasons, mainly that it precludes us from safely integrating security patches on the deploy host (tin), and secondly that it poses a possible bottleneck under high concurrency. It may also be a blocker for future fanout implementation.
So far, we've discussed two options for implementing this.
- Rewrite .gitmodules. Doing this at a single level seems simple enough, but handling it recursively (correctly) would add a lot of complexity to the fetch stage.
- Configure deploy targets to use git insteadOf to munge remote URLs. This should cover all submodules recursively without actually having to perform the recursive rewrites ourselves, and seems like a "cleaner" option overall simply because it's non-destructive.
The second option seems like the best approach for now.