Github-action: action in private repository

Amazing!
Super helpful broken down tips!

1 Like

@jef I am trying your example implementation and am getting a strange error: ##[error]Top level 'runs:' section is required for /home/runner/work/#####/./.github/actions/service-deploy/action.yml. I simply copied my working action from the repo it was running in into a github-actions private org repo and am referencing it like you are in your example. Any ideas why that error would be popping up?

I am also getting the Unrecognized named-value: 'secrets' when trying to use secrets in the action template. Is there a way to utilize secrets without having to pass them as environment variables in each repo that uses the action template?

I’m thinking that you’re referencing the action wrong. What you want is something like this:

# --snip--
    steps:
      - uses: actions/checkout@v2
      - uses: actions/checkout@v2
        with:
          repository: organization/private-actions-repository
          token: ${{ secrets.PRIVATE_SCOPED_PAT }}
          path: .github/actions
      - name: Service deploy
        uses: ./.github/actions/sevice-deploy

The directory structure of your private action repository would look like this:

.                     # the root of the repository directory
├── .git
├── README.md         # not necessary, but for demonstration purpose
├── service-deploy    # reference this directory, not the action.yml
│   ├── action.yml
│   ├── Dockerfile    # just an example, doesn't need to be a Docker action
│   ├── entrypoint.sh

It seems you were trying to point to the action.yml file here. You’d want to reference the directory, not the action.yml.

To reiterate, private and action aren’t required naming here either, just the way it could be potentially structured.

This is not possible to my knowledge. You could use a different secret manager and action that would pull from those secrets based off a master secret. Or I would use organization secrets (what I think is better here).

1 Like

This is the structure of my private action repository:
. # the root of the repository directory
├── .git
├── service-deploy # reference this directory, not the action.yml
│ ├── action.yml

And my repo trying to use it has the workflow defined like this:

name: Build and Deploy to GKE

on:
  push:
    branches:
      - master

env:
  ...

jobs:
  setup-build-publish-deploy:
    name: Setup, Build, Publish, and Deploy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/checkout@v2
        with:
          repository: <org>/github-actions
          token: ${{ secrets.REPO_TOKEN }}
          path: .github/actions
      - name: Private Action
        uses: ./.github/actions/service-deploy

I’m also using organization secrets which is why I’m confused as to why it doesn’t work as it does in the other repo.

The weird thing is that runs is not a top-level section that I can see from the docs.

Not quite sure what you mean from this one.

Ensure that it’s added to the repository that is running the action from the organization.


That looks good to me. What sort of output are you getting? I’d be sure to also make sure that you don’t currently have a directory in .github/actions in the repository as it will overwrite it when you do the second checkout if you relied on anything in there.

What if we had an authorised key in workflows; for private repositories? This would be a top-level key, and accept an array of user logins.

If a request to use an action in a private repository comes from an authorised user/account it’s granted access, else it’s denied.

name: My Private Repo Workflow

on:
    # .../

authorised:
    - user_login_1
    - user_login_2
    - etc

jobs:
    # .../

+1!
Private action repos would be very helpful.