Automating push to public repo

I have two repos that are identical to each other. The private repo has a few self-hosted runners that I did not want on my public repo. I am attempting to automate pushing to the public repo from the private one using an action, but I am having issues pushing. Currently I am using these set of commands to try and push:

git config --local user.name "Github Action"
git config --local user.email "$GITHUB_ACTOR@users.noreply.github.com"
git checkout `echo $GITHUB_REF | cut -d'/' -f3-`
git push https://$USERNAME:$REPO_KEY@github.com/$REPO_PATH.git $GITHUB_REF

Where “$USERNAME” and “$REPO_KEY” are secrets that are passed as environment variables. $USERNAME is my Github username and $REPO_KEY is a personal access token. This is the error that I keep getting:

remote: Permission to chand1012/multipass-vm-action.git denied to github-actions[bot].

Is there a way to give “github-actions” push permissions for just that repository?

1 Like

@chand1012 ,

According the commands you shared, looks like you directly push files from the local directory of the private repository to the remote of the public repository. I’m afraid you can’t do like this.

You should checkout/clone the two repositories to the local workspace on the runner, then on the local, copy the changed files from the private repository to the public repository, finally in the local directory of the public repository execute the git push command to push changes to the remote of the public repository.

On my local repo have the public repo as a seperate remote and push that way, it works then. Would I be able to do this will the action? I tried doing it previously and I got the same error.

> Is there a way to give “github-actions” push permissions for just that repository?

Have you tried actions/checkout@v2? It prepends x-access-token to github-actions’s access token, base64 encodes that, and uses that value as the http basic access auth header’s credential.

If you can’t use actions/checkout@v2, you could try that manually. See http.extraHeader in git help config.

@chand1012 ,

As @lucianposton mentioned, you can use the checkout action to checkout your repositories, and then use git commands to push changes.

That works if the repo that the action is running on is the same one I am trying to push to, it doesn’t work if its a different repo.

1 Like

@chand1012  When you use actions/checkout@v2 step, do you try to checkout the current repo or the other public repo? Did you specify token input variable? If not , the default token is GITHUB_TOKEN (scope is current repo). And there is a  persist-credentials input variable for checkout v2, the defaule value is true. 

When you try to push to the other public repo, the credential be used with git will be GITHUB_TOKEN instead of $REPO_KEY you specified in remote url.

git push https://$USERNAME:$REPO_KEY@github.com/$REPO_PATH.git $GITHUB_REF

 You could set persist-credentials = false ,  or specify token directly when using checkout v2, for example: 

Bump

I am seeing this issue too.  

I want to run a mirror of a non github git repo on github.  I don’t care to review what is in the remote repo, just sync it every 2 hours or something.

I have to use a 3rd repo with the actions to  do the mirroring, as the act of mirror removes the .github directory using the workflow:

https://github.com/repo-sync/github-sync/issues/19

Most of my parallel sync works fine until I try and push back to the github repo and i get the same complaint:

fatal: unable to access 'https://github.com/nangtani/blender-addons-yyy/': The requested URL returned error: 403

I am passing in the correct user name and password, as a secret, to the flow.

Is there an intrinsic block in github actions to stop th actions of one repo pushing into another repo?

Is there another way to successfully run a mirror on a non github repo that the user does not have write access to?

What exactly is $GITHUB_REF supposed to be referencing

Each event has related to a GITHUB_REF. You could refer to this documents to know about the GITHUB_REF of different events.
For example, when a workflow is triggered by push event, the GITHUB_REF is the branch/tag with you pushed to. If you push commit to master branch, then $GITHUB_REF equals to master.

This almost works for me but I’m now getting this error:

 ! [remote rejected]   upkeep-bot/vscode-1.49.0 -> upkeep-bot/vscode-1.49.0 (shallow update not allowed)
error: failed to push some refs to 'https://github.com/samuela/nixpkgs.git'

EDIT: fix turns out to be to add fetch-depth: 0 to the checkout.