Automating push to public repo

I have two repos that are identical to each other. The private repo has a few self-hosted runners that I did not want on my public repo. I am attempting to automate pushing to the public repo from the private one using an action, but I am having issues pushing. Currently I am using these set of commands to try and push:

git config --local "Github Action"
git config --local "$"
git checkout `echo $GITHUB_REF | cut -d'/' -f3-`
git push https://$USERNAME:$$REPO_PATH.git $GITHUB_REF

Where “$USERNAME” and “$REPO_KEY” are secrets that are passed as environment variables. $USERNAME is my Github username and $REPO_KEY is a personal access token. This is the error that I keep getting:

remote: Permission to chand1012/multipass-vm-action.git denied to github-actions[bot].

Is there a way to give “github-actions” push permissions for just that repository?


@chand1012 ,

According the commands you shared, looks like you directly push files from the local directory of the private repository to the remote of the public repository. I’m afraid you can’t do like this.

You should checkout/clone the two repositories to the local workspace on the runner, then on the local, copy the changed files from the private repository to the public repository, finally in the local directory of the public repository execute the git push command to push changes to the remote of the public repository.

On my local repo have the public repo as a seperate remote and push that way, it works then. Would I be able to do this will the action? I tried doing it previously and I got the same error.

> Is there a way to give “github-actions” push permissions for just that repository?

Have you tried actions/checkout@v2? It prepends x-access-token to github-actions’s access token, base64 encodes that, and uses that value as the http basic access auth header’s credential.

If you can’t use actions/checkout@v2, you could try that manually. See http.extraHeader in git help config.

@chand1012 ,

As @lucianposton mentioned, you can use the checkout action to checkout your repositories, and then use git commands to push changes.

That works if the repo that the action is running on is the same one I am trying to push to, it doesn’t work if its a different repo.

1 Like

@chand1012  When you use actions/checkout@v2 step, do you try to checkout the current repo or the other public repo? Did you specify token input variable? If not , the default token is GITHUB_TOKEN (scope is current repo). And there is a  persist-credentials input variable for checkout v2, the defaule value is true. 

When you try to push to the other public repo, the credential be used with git will be GITHUB_TOKEN instead of $REPO_KEY you specified in remote url.

git push https://$USERNAME:$$REPO_PATH.git $GITHUB_REF

 You could set persist-credentials = false ,  or specify token directly when using checkout v2, for example: 


I am seeing this issue too.  

I want to run a mirror of a non github git repo on github.  I don’t care to review what is in the remote repo, just sync it every 2 hours or something.

I have to use a 3rd repo with the actions to  do the mirroring, as the act of mirror removes the .github directory using the workflow:

Most of my parallel sync works fine until I try and push back to the github repo and i get the same complaint:

fatal: unable to access '': The requested URL returned error: 403

I am passing in the correct user name and password, as a secret, to the flow.

Is there an intrinsic block in github actions to stop th actions of one repo pushing into another repo?

Is there another way to successfully run a mirror on a non github repo that the user does not have write access to?

What exactly is $GITHUB_REF supposed to be referencing

Each event has related to a GITHUB_REF. You could refer to this documents to know about the GITHUB_REF of different events.
For example, when a workflow is triggered by push event, the GITHUB_REF is the branch/tag with you pushed to. If you push commit to master branch, then $GITHUB_REF equals to master.

This almost works for me but I’m now getting this error:

 ! [remote rejected]   upkeep-bot/vscode-1.49.0 -> upkeep-bot/vscode-1.49.0 (shallow update not allowed)
error: failed to push some refs to ''

EDIT: fix turns out to be to add fetch-depth: 0 to the checkout.

I encountered the same problem and finally solved it.

I use a private repo to store my hexo blog source files, and then automatically pushing them to the public repo for github pages through actions. Encountered a Permission problem:

remote: Permission to leafney/ denied to github-actions[bot].
fatal: unable to access '': The requested URL returned error: 403
Error: Process completed with exit code 128.

My solution is to add a line of command:

git config -l | grep 'http\..*\.extraheader' | cut -d= -f1 | xargs -L1 git config --unset-all


- name: Deploy hexo
run: |
    git config --local "${{ env.GIT_USERNAME }}"
    git config --local "${{ env.GIT_EMAIL }}"
    git add .
    git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
    git config -l | grep 'http\..*\.extraheader' | cut -d= -f1 | xargs -L1 git config --unset-all
    git push --force --quiet "https://${{ env.GIT_USERNAME }}:${{ secrets.GH_ACCESS_TOKEN }}@${{ env.DEPLOY_URL }}" master:master

The reason for this solution is:

GitHub Actions stores a configuration option using one of the http.extraheader options to send the original token for cloning your repository in a custom Authorization header. This is a bad idea because it then conflicts with the Authorization header added by Git when you use another repository, and the token that’s issued is only valid for the original repository.

More info:

hope this helps.

1 Like

Hi guys, thanks all the solutions you post. This make me confused several weeks. I hit all the issue like permission, refers and etc.

And finally, the solution I used below

      - name: Checkout remote repo and push the index.yaml of the chart
          GIT_USERNAME: aisuko
        run: |
          git clone https://.:${{ secrets.TOKEN }} target
          cp /home/runner/work/helm-charts-action/helm-charts-action/.cr-index/index.yaml target
          cd target
          git config --local "${{ env.GIT_USERNAME }}"
          git config --local "${{ env.GIT_EMAIL }}"
          git add index.yaml
          git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
          git push --force --quiet "https://${{ env.GIT_USERNAME }}:${{ secrets.TOKEN }}@${{ env.DEPLOY_URL }}" main:main

And if you want to more gentle man like me, please check below, this can work well with GitHub Checkout Actions(You should checkout the source repo before this action):

      - name: Checkout target repo
        uses: actions/checkout@v2
          REPO: Aisuko/charts-release
          REPO_PATH: charts-release
          fetch-depth: 0
          token: ${{ secrets.TOKEN }}
          repository: "${{ env.REPO }}"
          path: ${{ env.REPO_PATH }}
      - name: Copy index to new repo
          SOURCE: /home/runner/work/helm-charts-action/helm-charts-action/.cr-index/index.yaml
          TARGET: charts-release/charts
          cp ${{ env.SOURCE }} ${{ env.TARGET }}
      - name: Push
          REPO_PATH: charts-release
          GIT_USERNAME: action
        run: |
          cd ${{ env.REPO_PATH }}
          git config --local "${{ env.GIT_USERNAME }}"
          git config --local "${{ env.GIT_EMAIL }}"
          git add .
          git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
          git push