Can't clone private repo from another repo

I need to clone a private repository from another repository in workflow actions. Both are in same project. I need to do this programmatically so looking for a solution that doesn’t use username:password in the command. SSH key or token would be best.

I’ll clone my_repo1 using actions/checkout@v2 but the clone of my_repo2 has to happen after some setup is preformed so will be running in the run section.

Here is my yml file I’m using to test this.

name: Git Clone
on: [push]

jobs:
clone:
runs-on: ubuntu-latest
steps:

- name: clone private repo
  env:
    token: ${{ secrets.MY_TOKEN }}
  run: git clone git@github.com:MY_PROJECT/my_repo2.git

Getting:
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

MY_TOKEN is an org secret and I see it listed when looking at my_repo2 secrets.

Any help getting this resolved would be greatly appreciated.

Why not have a second actions/checkout step after the setup? The documentation has some examples of this. And there’s nothing that’d prevent you from having run steps between the two uses steps in the example.

Can’t use actions/checkout for this as it is done as part of a running process. I’m trying to figure out how to do this so I can incorporate it into our make process.
This is not your typical pull code and make project.
Tried not to go into all the details but…
This is a Yocto build that uses bitbake recipes. In the recipe you specify the repo and protocol and it goes and retrieves the repos as part of the build process. This works fine for all the external repo but is getting a permissions issue when trying to pull the other private repos in our project.
As this is part of the source code and must be able to be run by everyone, we cannot have hardcoded usernames and passwords in code (which is a bad idea for other reasons as well).
I can run this from my local system and it pulls the repos just fine it is only when running in workflow actions that I am having permissions problems.

Can’t think it would be that difficult to do this as there has to be a way to pull from a private repo in your project w/o using actions/checkout.

Has anyone done Yocto bitbake builds with private repos within your project?

While looking at workflow logs I noticed that actions/checkout configures an HTTP Authorization header like this:

/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***

Where *** hides the GITHUB_TOKEN. Maybe you can use a similar approach to configure your PAT?

There’s also a post action for actions/checkout that wipes the secret again, if you do this you should probably do the same (or use a step with if: always()).