actions
Not able to checkout remote repo using secrets.GITHUB_TOKEN
Not able to check out another private repo using secrets.GITHUB_TOKEN. Below the scenario, check out 1, and 2 works. 3 fails. Is there a limitation for secrets.GITHUB_TOKEN on remote repos?
repo-1 from for which GitHub action is running and repo-2 that it's trying to checkout is in the same org
jobs:
test:
name: test
runs-on: self-hosted
container: node:14-bullseye
steps:
- name: Checkout 1
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Checkout 2
uses: actions/checkout@v3
with:
token: ${{ secrets.MY_PAT }}
repository: repo-2
ref: 'main'
path: 'path-1'
- name: Checkout 3
uses: actions/checkout@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: repo-2
ref: "master"
path: "path-2"
Error: Fetching the repository /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/master*:refs/remotes/origin/master* +refs/tags/master*:refs/tags/master* remote: Repository not found. Error: fatal: repository 'https://github.com/xxxxxx/' not found The process '/usr/bin/git' failed with exit code 128 Waiting 11 seconds before trying again
did you get any solution? Facing the same error on centos
Checked with the support team. Says you can not checkout remote repo using secrets.GITHUB_TOKEN
same issue. even though both workflows are internal in the same organization
${{ github.token }} is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own PAT
https://github.com/actions/checkout/blob/2541b1294d2704b0964813337f33b291d3f8596b/README.md?plain=1#L184
I was facing this same issue and I was able to use a secret only if the secret name is GH_PAT, like this:
token: ${{ secrets.GH_PAT }}
Yeah, I was never able to get GITHUB_TOKEN to work. My thought was that our tokens need to be blessed by our organization's SSO or whatever it is, and that can't ever happen with a GITHUB_TOKEN because it's a one-time thing that is formed at the start of the action and goes away when it ends.
But there's no GitHub Enterprise documentation about it, so who knows?
I'm really not seeing the benefit of this action over a simple shell script.
-- All the best Christian Fr stormyhr Wednesday, 05 October 2022, 07:29am +02:00 from Dennis Gentry @.*** :
Yeah, I was never able to get GITHUB_TOKEN to work. My thought was that our tokens need to be blessed by our organization's SSO or whatever it is, and that can't ever happen with a GITHUB_TOKEN because it's a one-time thing that is formed at the start of the action and goes away when it ends. But there's no GitHub Enterprise documentation about it, so who knows? I'm really not seeing the benefit of this action over a simple shell script. — Reply to this email directly, view it on GitHub , or unsubscribe . You are receiving this because you are subscribed to this thread. Message ID: @ github . com>
Gentle people,
Scenario:
have re-usable worfklows in workflowsrepo and also some scripts which i want to run when an app repo iinvokes the workflows.
the context of the app repo needed for the scripts to evaluate and give an output as GH_OUTPUT
Tried diferent approaches where i was not able to pass the script along with re-suable worklow
so trying a multi repo checkout with workflow_call during a PR schenario
not able to get that second checkout where the scripts are located.
apprepo
name: '🚀 Pull Request'
run-name: pr:${{github.ref_name}}:${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
on:
pull_request:
branches:
- '**'
types: [opened, reopened, synchronize ]
jobs:
find_moon_artefacts:
name: '🔍 Find moon-artefacts'
uses: '{ORG}/{REPO}/.github/workflows/workflow-on-affected-pr.yml@main'
with:
runs-on: 'ubuntu-latest'
lookup: 'services' #lookup: 'services,projects' #do not give spaces between the comma
sincehead: -4
exclude: '`xyz'
workflowsrepo has the above re-usable workflow ; expected to run during PR
name: '� workflow on affected PR; set moo,get repo, projects and services details'
run-name: pr:${{github.ref_name}}:${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
on:
workflow_call:
inputs:
runs-on:
description: 'The runner to execute the job on'
required: false
type: string
default: 'ubuntu-latest'
environment:
description: 'Environment to execute the job on'
required: false
type: string
default: 'dev'
lookup:
description: 'Lookup Comma-separated list of lookup items, "services, projects" etc'
required: false
default: 'services'
type: string
sincehead:
description: 'Specify number of commits since HEAD, -ve number considers all commits, default is -0'
required: false
type: number
default: -0
exclude:
description: 'Comma-separated list of items to exclude; a partial string match'
required: false
type: string
tags:
description: 'Comma-separated list of tags used for projects to be affected'
required: false
type: string
script:
description: 'Script to execute'
required: false
type: string
default: 'affected-moon-artefacts.mjs'
wkfl_src_branch:
description: 'Branch to source the workflows and script from'
required: false
type: string
default: 'main'
jobs:
on_pull_request:
name: '⏱ Pull Request'
runs-on: ${{ inputs.runs-on }}
environment: ${{ inputs.environment }}
steps:
- name: '🛎️ Checkout'
uses: actions/checkout@v4
with:
ref: "${{github.head_ref || 'main'}}"
fetch-depth: 0
- name: '🛎️ Checkout scripts'
uses: actions/checkout@v4
with:
repository: 'xyz_ORG/xyz_REPO'
token: ${{ secrets.GH_PAT }}
path: workflow-tools
ref: ${{ inputs.wkfl_src_branch }}
both repos having secrets with same GH_PAT, GH_XYZ_PAT classic PAT with permissions for repos , pr etc...
GH_PAT though passedm still giving Input required and not supplied: token
passing GH_XYZ_PAT failes with 3 retrails to download
do you see an issue in what i am doing!!
as per the commens, i noticed that GH_PAT resolved the issue with checkouts?! is that also works if the scenario is a PR and merge?
