Best way to clone a private repo during script run of private Github Action

I am writing a GitHub action within a private repo (./github-actions/my-action/entrypoint.sh). For reasons I need to clone a different private repo from with my org during the docker container’s run of that script:

git clone"https://$GITHUB\_TOKEN@github.com/myorg/other-private-repo.git" /other-private-repo

This does not work as the token the action is running with does not have access to that repo. I guess I could create a “machine” account, provide access to other-private-repo, and use that account’s token as a secret. I’m just wondering if there is a more elegant way here…

6 Likes

Hi @agibralter,

Thanks for being here! I can’t think of any obvious way to significantly improve your method. Will keep digging and post any updates here.

Best

@agibralter im trying to do the same, did you find any good solution for this you could share with the world :) 

We went with the “machine account” method. Created a user with its own set of credentials that we added as GitHub Action secrets.

4 Likes

thanks man, well seems like we will also have to stay with that solution as well 

Could you provide a little more information on how you achieved this?

Here are the steps that worked for me:

If you need to clone another, private repo while executing your actions:

  1. create a “personal access token” (via your account settings, “Developer settings”, “Personal access tokens”).

  2. copy the created token, and add it as a secret to the repository in which the action is going to be executed with a name such as “ACCESS_TOKEN”

  3. add something like the following to your action.yml:

    • uses: actions/checkout@v1
      with:
      repository: my-private/repo-name
      token: ${{ secrets.ACCESS_TOKEN }}

Hope this helps!

14 Likes

Thank you very much you saved me

Thanks for this workaround, but still I can’t shake the feeling that this should be simpler.

I was hoping it would be simpler to not only checkout code from my own organization, but to do everything as a priviledged user.

I wish there was something like:

run-as: some@user.com
# ...
run: |
git clone...
git commit ...

in the workflow syntax.

Or maybe, we could “invite” the Actions virtual user to repos we want to grant access to.

The checkout action has some extra options that can help with this, though you will still need to generate a personall access token for it to access other private repos:

See the readme: https://github.com/actions/checkout