Cannot download private repositories from github actions

Hi,

I need to download private repos from the same organization and I am having an issue with my current setup of github actions, the yaml file contents are:

name: coverage-reporter

on:
  pull_request:
    branches: [ master ]

jobs:
  coverage-reporter:
    runs-on: self-hosted
    name: coverage-reporter
    steps:
      - name: Set up Go 1.15
        uses: actions/setup-go@v2
        with:
          go-version: ^1.15
        id: go

      - name: Check out code into the Go module directory
        uses: actions/checkout@v2

      - name: Inject insteadOf configuration
        env:
          PRIVATE_GITHUB_TOKEN: ${{ secrets.PRIVATE_GITHUB_TOKEN }}
        run: |
          git config --global url."https://${PRIVATE_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
      - name: Get dependencies
        env:
          GOPRIVATE: github.com/mycompany/*
        run: |
          go mod download
      - name: Install gocov-xml
        run: |
          go get github.com/mycompany/gocov/...
          go get github.com/mycompany/gocov-xml
      - name: Generate coverage file
        run: gocov test ./... | gocov-xml > cobertura.xml

      - name: Codacy Coverage Reporter
        uses: codacy/codacy-coverage-reporter-action@0.2.0
        with:
          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
          coverage-reports: cobertura.xml

The error that I am getting is on the "Inject insteadOf configuration:

Run make dep
go: github.com/mycompany/myrepo@v1.1.17: reading github.com/mycompany/myrepo/go.mod at revision v1.1.17: unknown revision v1.1.17

The token has all permissions, but it seems that git is not reading it, so it is giving that error

@seguidor777 ,

In your workflow, you need to set the value of the input ‘persist-credentials’ to be ‘false’ when using the checkout action.

jobs:
  coverage-reporter:
    runs-on: self-hosted
    name: coverage-reporter
    steps:
      . . .

      - name: Check out code into the Go module directory
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      . . .

Description:
When using the checkout action in workflows, the input ‘persist-credentials’ will be set as ‘true’ by default. This means that the token or SSH key used on the checkout action will be used to set the local git config, and other tokens or SSH keys you provide will be prevented from being used to set the local git config in the subsequent steps.

In your case, due to you did not provide another token (a PAT that has more permissions) to the input ‘token’ on checkout action, the value was set as the GITHUB_TOKEN by default. So the GITHUB_TOKEN was used to set the local git config.
As you can see the description from the docs about the GITHUB_TOKEN:

The token’s permissions are limited to the repository that contains your workflow.

So, you can’t use the GITHUB_TOKEN to download another private repository.

Hi @brightran,

I just added that option, but I’m still getting the same error. What would be the correct way to set my token?
I’ve tried changing the url in these 2 ways:
git config --global url."https://${PRIVATE_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
git config --global url."https://${PRIVATE_GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/"

@seguidor777 ,

When using the authorization in the Git URL, normally the syntax should like as below:

https://{username}:{token}@github.com/. . .

or you can omit the {username}, or use any string to set it.

https://:{token}@github.com/. . .

For example, clone a repository.

git clone https://{username}:{token}@github.com/{owner}/{repo}.git

OR

git clone https://:{token}@github.com/{owner}/{repo}.git

I noticed that the command you are using in the workflow is this,

git config --global url.“https://${PRIVATE_GITHUB_TOKEN}:x-oauth-basic@github.com/”.insteadOf “https://github.com/

The ${PRIVATE_GITHUB_TOKEN} is the token, and the ‘x-oauth-basic’ is the username. Looks like, you place them in the wrong order.
You can try to change the URL to the following to see if the problem can be solved.

https://x-oauth-basic:${PRIVATE_GITHUB_TOKEN}@github.com/

I also have tried with those urls and am getting the same error.
I’m using the URL in the form of git config --global url."https://${PRIVATE_GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/" because I’ve already used it in a RUN step of a docker image and it works

@seguidor777 ,

Okay, please check with the following steps:

  1. Use the checkout action with the token “${{ secrets.PRIVATE_GITHUB_TOKEN }}” to see if it can check out the private repository.
    This step is used to check if the user who the token is corresponding to has the access to the private repository. If the user does not have the access to the private repository, you also can’t use the token to access the repository, even if the token has been set with full scopes.

  2. If the the token can access the private repository, on your local machine where the self-hosted runner is installed, try to run the same commands you are using in the workflow to set the git config and download the private repository to see if them can work on your local machine.
    This step is used to check if the commands you are using are correct. If the commands also do not work on the local machine, you may be using some incorrect commands or have wrong use for the commands.