Github Actions Token Scope

We’re currently using actions as our CI/CD

For one of our products (PHP) we use a package that we have developed in house, as a private repo

Composer is unable to install the private package, as the ssh key is not correctly configured

Is there any currently an easy way of cloning other repos that the organisation has access to in the context of a github action?

3 Likes

GitHub provides a token that you can use to authenticate on behalf of GitHub Actions, it automatically creates a GITHUB_TOKEN secret to use in your workflow.
The permissions of GITHUB_TOKEN are limited to the repository that contains your workflow. If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.
More details about how to create a PAT, you can reference here: https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line

4 Likes

I was having the exact same problem installing composer project dependencies with a satis server and private github repos.  I was able to eaily work around the “404 not found” issue on the private repos with:

- name: Setup Composer Access
        run: composer config -g github-oauth.github.com ${{ secrets.DEPLOY_TOKEN }}

The only major issue is that personal access tokens have to be attached to personal accounts and there seems to be no orgnization level equivilent.

4 Likes

I also do it like that. But I’m getting a notification of Github telling that is deprecated the usage of that way.

“Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated.”.

If you use private repository for your packages, you can use http-basic auth like that : 

-name: Setup Composer Access
run: composer config -g http-basic.private-repo.organization.org ${{ secrets.REPO_USERNAME }} ${{ secrets.REPO_PASSWORD }}

Hello!

I think that you should use a prive/public keys, and then add the public key to target repository (your private repo). After that, add your private key as a secret and use the next action: webfactory/ssh-agent@v0.2.0

- uses: webfactory/ssh-agent@v0.2.0
              with:
                ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
2 Likes