Confused about secrets/actions on private repos - please help

I have an action that regularly synchronizes a source repo with data from a specified remote repo. It works great when the remote is public! But I’m having a ton of trouble when the remote is private, and I think I’m just completely misunderstanding how access tokens work. Help me sort things out?

Simple Scenario:

  • An ORGANIZATION has a SOURCE repo with lots of great code. It’s private.
  • A certain USER_1 has access to that repo and makes a FORK of it.
  • USER_1 creates a simple workflow in the FORK that starts with a checkout of the SOURCE (using actions/checkout)
  • Oh no! The workflow checkout fails because the SOURCE is private. Access denied.


  1. Is there any way for USER_1 to access the SOURCE by including an access token in the workflow?
  2. If yes, where is the token generated?
  3. And then where does the token need to be stored for validation when the sure tries to access the repo?

Am I misunderstanding that this is possible? I’m really trying to figure out what to do since my action is quite a bit less useful without being able to access private repos.

Yes, using a personal access token (PAT). You need to pass that token to actions/checkout, which should look something like this:

- uses: actions/checkout@v2
    repository: 'org/repo'
    token: ${{ secrets.PAT }}

For creating a token, see:

You’ll have to store the token as a “secret” to make it available to the workflow, details here:

Oh, believe me - I’ve read these docs, and while I understand the concepts, they provide no real explanation beyond creating the secrets. That’s why I included questions 2 and 3 in my original post.

  1. If yes, where is the token generated?
  2. And then where does the token need to be stored for validation when the sure tries to access the repo?

See, what I’m not able to figure out is who should have access to the secret in what way. I think the secret should be stored in the SOURCE repo, but then I’d assume USER_1 is going to need a copy on their account as well to include in their workflow. But no matter how I try to set this up, I can’t get USER_1 to connect to the private SOURCE repo even for a simple checkout.

(And sometimes when I do pass a token as a secret I get a weird error telling me there was no token in the workflow at all. It’s frustrating.)

So while I absolutely understand creating secrets, I seem to be missing the ball on how to use them. (Sorry, those doc links just aren’t helping me.)

If the workflow is running in USER_1’s repository, the secret needs to be set in that repository. Secrets are not passed to forks. If you want that “update fork” workflow to be part of the upstream repository, each user who forks it will need to create their own PAT and add it to their fork repository before they can use the workflow.