Automating push to public repo

chand1012 · May 23, 2020, 5:40am

I have two repos that are identical to each other. The private repo has a few self-hosted runners that I did not want on my public repo. I am attempting to automate pushing to the public repo from the private one using an action, but I am having issues pushing. Currently I am using these set of commands to try and push:

git config --local user.name "Github Action"
git config --local user.email "$GITHUB_ACTOR@users.noreply.github.com"
git checkout `echo $GITHUB_REF | cut -d'/' -f3-`
git push https://$USERNAME:$REPO_KEY@github.com/$REPO_PATH.git $GITHUB_REF

Where “$USERNAME” and “$REPO_KEY” are secrets that are passed as environment variables. $USERNAME is my Github username and $REPO_KEY is a personal access token. This is the error that I keep getting:

remote: Permission to chand1012/multipass-vm-action.git denied to github-actions[bot].

Is there a way to give “github-actions” push permissions for just that repository?

brightran · May 23, 2020, 6:15am

@chand1012 ,

According the commands you shared, looks like you directly push files from the local directory of the private repository to the remote of the public repository. I’m afraid you can’t do like this.

You should checkout/clone the two repositories to the local workspace on the runner, then on the local, copy the changed files from the private repository to the public repository, finally in the local directory of the public repository execute the git push command to push changes to the remote of the public repository.

chand1012 · May 23, 2020, 6:15am

On my local repo have the public repo as a seperate remote and push that way, it works then. Would I be able to do this will the action? I tried doing it previously and I got the same error.

lucianposton · May 23, 2020, 6:15am

> Is there a way to give “github-actions” push permissions for just that repository?

Have you tried actions/checkout@v2? It prepends x-access-token to github-actions’s access token, base64 encodes that, and uses that value as the http basic access auth header’s credential.

If you can’t use actions/checkout@v2, you could try that manually. See http.extraHeader in git help config.

brightran · May 23, 2020, 6:15am

@chand1012 ,

As @lucianposton mentioned, you can use the checkout action to checkout your repositories, and then use git commands to push changes.

chand1012 · May 23, 2020, 6:15am

That works if the repo that the action is running on is the same one I am trying to push to, it doesn’t work if its a different repo.

yanjingzhu · May 26, 2020, 5:12pm

@chand1012 When you use actions/checkout@v2 step, do you try to checkout the current repo or the other public repo? Did you specify token input variable? If not , the default token is GITHUB_TOKEN (scope is current repo). And there is a persist-credentials input variable for checkout v2, the defaule value is true.

When you try to push to the other public repo, the credential be used with git will be GITHUB_TOKEN instead of $REPO_KEY you specified in remote url.

git push https://$USERNAME:$REPO_KEY@github.com/$REPO_PATH.git $GITHUB_REF

You could set persist-credentials = false , or specify token directly when using checkout v2, for example:

douglaskastle · May 23, 2020, 6:15am

Bump

I am seeing this issue too.

I want to run a mirror of a non github git repo on github. I don’t care to review what is in the remote repo, just sync it every 2 hours or something.

I have to use a 3rd repo with the actions to do the mirroring, as the act of mirror removes the .github directory using the workflow:

https://github.com/repo-sync/github-sync/issues/19

Most of my parallel sync works fine until I try and push back to the github repo and i get the same complaint:

fatal: unable to access 'https://github.com/nangtani/blender-addons-yyy/': The requested URL returned error: 403

I am passing in the correct user name and password, as a secret, to the flow.

Is there an intrinsic block in github actions to stop th actions of one repo pushing into another repo?

Is there another way to successfully run a mirror on a non github repo that the user does not have write access to?

eoduniyi · July 12, 2020, 3:10pm

What exactly is $GITHUB_REF supposed to be referencing

yanjingzhu · July 13, 2020, 2:26am

Each event has related to a GITHUB_REF. You could refer to this documents to know about the GITHUB_REF of different events.
For example, when a workflow is triggered by push event, the GITHUB_REF is the branch/tag with you pushed to. If you push commit to master branch, then $GITHUB_REF equals to master.

samuela · September 14, 2020, 5:18am

This almost works for me but I’m now getting this error:

 ! [remote rejected]   upkeep-bot/vscode-1.49.0 -> upkeep-bot/vscode-1.49.0 (shallow update not allowed)
error: failed to push some refs to 'https://github.com/samuela/nixpkgs.git'

EDIT: fix turns out to be to add fetch-depth: 0 to the checkout.

leafney · December 3, 2020, 4:18am

I encountered the same problem and finally solved it.

I use a private repo to store my hexo blog source files, and then automatically pushing them to the public repo for github pages through actions. Encountered a Permission problem:

remote: Permission to leafney/leafney.github.io.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/leafney/leafney.github.io.git/': The requested URL returned error: 403
Error: Process completed with exit code 128.

My solution is to add a line of command:

git config -l | grep 'http\..*\.extraheader' | cut -d= -f1 | xargs -L1 git config --unset-all

like:

- name: Deploy hexo
run: |
    git config --local user.name "${{ env.GIT_USERNAME }}"
    git config --local user.email "${{ env.GIT_EMAIL }}"
    git add .
    git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
    git config -l | grep 'http\..*\.extraheader' | cut -d= -f1 | xargs -L1 git config --unset-all
    git push --force --quiet "https://${{ env.GIT_USERNAME }}:${{ secrets.GH_ACCESS_TOKEN }}@${{ env.DEPLOY_URL }}" master:master

The reason for this solution is:

GitHub Actions stores a configuration option using one of the http.extraheader options to send the original token for cloning your repository in a custom Authorization header. This is a bad idea because it then conflicts with the Authorization header added by Git when you use another repository, and the token that’s issued is only valid for the original repository.

More info: https://stackoverflow.com/questions/64270867/auth-error-trying-to-copy-a-repo-with-github-actions

hope this helps.

aisuko · April 5, 2021, 8:40am

Hi guys, thanks all the solutions you post. This make me confused several weeks. I hit all the issue like permission, refers and etc.

And finally, the solution I used below

      - name: Checkout remote repo and push the index.yaml of the chart
        env:
          GIT_USERNAME: aisuko
          GIT_EMAIL: aisuko-action@github.com
          DEPLOY_URL: github.com/Aisuko/charts-release
        run: |
          git clone https://.:${{ secrets.TOKEN }}@github.com/Aisuko/charts-release target
          cp /home/runner/work/helm-charts-action/helm-charts-action/.cr-index/index.yaml target
          cd target
          git config --local user.name "${{ env.GIT_USERNAME }}"
          git config --local user.email "${{ env.GIT_EMAIL }}"
          git add index.yaml
          git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
          git push --force --quiet "https://${{ env.GIT_USERNAME }}:${{ secrets.TOKEN }}@${{ env.DEPLOY_URL }}" main:main

And if you want to more gentle man like me, please check below, this can work well with GitHub Checkout Actions(You should checkout the source repo before this action):

      - name: Checkout target repo
        uses: actions/checkout@v2
        env:
          REPO: Aisuko/charts-release
          REPO_PATH: charts-release
        with:
          fetch-depth: 0
          token: ${{ secrets.TOKEN }}
          repository: "${{ env.REPO }}"
          path: ${{ env.REPO_PATH }}
      - name: Copy index to new repo
        env:
          SOURCE: /home/runner/work/helm-charts-action/helm-charts-action/.cr-index/index.yaml
          TARGET: charts-release/charts
        run:
          cp ${{ env.SOURCE }} ${{ env.TARGET }}
      - name: Push
        env:
          REPO_PATH: charts-release
          GIT_USERNAME: action
          GIT_EMAIL: action@github.com
        run: |
          cd ${{ env.REPO_PATH }}
          git config --local user.name "${{ env.GIT_USERNAME }}"
          git config --local user.email "${{ env.GIT_EMAIL }}"
          git add .
          git commit -m "Github Actions Automatically Built in `date +"%Y-%m-%d %H:%M"`"
          git push