Enable using read-only HTTPS repositories (#2171)

* Enable using read-only HTTPS repositories

If someone wants to clone read-only from an `https://github.com/...` URL, that should be permitted, and in that case they shouldn't be required to provide an SSH key.

* Add comment on ssh vs https behavior

spiffworkflow-backend/bin/clone_process_models

@@ -24,18 +24,23 @@ fi
 
 if [[ -z "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH:-}" ]]; then
   if [[ -n "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY:-}" ]]; then
-    export SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH=$(mktemp /tmp/ssh_private_key.XXXXXX)
+    SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH=$(mktemp /tmp/ssh_private_key.XXXXXX)
+    export SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH
     chmod 600 "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
     echo "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY}" >"${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
   fi
 fi
 
+# Only configure SSH if a private key is available; CLONE_URL might be HTTPS, which is still valid
+if [[ -n "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}" ]]; then
+  export GIT_SSH_COMMAND="ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
+fi
+
 if [[ ! -d "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/.git" ]]; then
   # otherwise git clone will not clone since the directory is not empty
   if [[ -d "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/lost+found" ]]; then
     rm -r "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}/lost+found"
   fi
 
-  export GIT_SSH_COMMAND="ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY_PATH}"
   git clone -b "$SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH" "$SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL" "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
 fi