Any way to get around cloning a git submodule?

I work on an open source project. We keep our production config files in a separate git repository available only to a few members of our team. This repo is a submodule of our larger project and it allows people to grab and compile the project without seeing our prod creds.

The problem is that Hudson tries to pull down the submodule and the Hudson user doesn't have pull permissions on that repo.

hudson.plugins.git.GitException: Error performing command: git submodule update
Command "git submodule update" returned status code 1: Initialized empty Git repository in <http://athenadev.fracturedatlas.org:5904/job/ATHENA/ws/assembly/.git/>
ERROR: Permission to fracturedatlas/assembly.git denied to fracturedatlas/artful.ly.
fatal: The remote end hung up unexpectedly
Clone of 'git@github.com:fracturedatlas/assembly.git' into submodule path 'assembly' failed

       at hudson.plug开发者_Go百科ins.git.GitAPI.launchCommandIn(GitAPI.java:691)

Is there a good "git" way around this or are we going to need to re-think our strategy for keeping production credentials away from the evildoers?

If that secret repo is a submodule of a larger repo, then... Hudson should not try to pull from that larger repo ;)

It should pull from "another larger repo" which is identical to the first one, but for the presence of that submodule.

That is easy to do when:

• the parent repo is empty and only declare submodules (one for the "larger project", one for the "secret repo")
• the "larger project" include a symlink to the secret repo (that way, you don't have to declare the secret repo submodule directly within the larger project, you can declare it in the quasi-empty parent repo)

When such a parent repo exists (with a content only limited to two submodules), it is easy to replicate such a parent repo in order to get one that included only one submodule (the "larger project"), without the other ("the secret repo").
And that would be that second parent repo Hudson would be able to pull from.