Npm install fails to pull dependency from public GitHub repo

I’m running into a weird issue that I can’t quite nail down the cause of.

My repository has a dependency in its package.json file that links to a specific tag in a public repository on GitHub (this specific version isn’t published to npm, which is why we have to do this).

{
  "dependencies": {
    "Select2": "select2/select2#3.5.4"
  }
}

It’s a public repository and we’ve never had any issue with it when running npm install in any context (locally, CI, etc) before.

I wanted to make an action that uses preactjs/compressed-size-action@v2 to report our bundle size on PRs.

This is the workflow:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: preactjs/compressed-size-action@v2
        with:
          build-script: build
          compression: gzip
          exclude: '{**/*.map,**/node_modules/**}'
          pattern: '{public/css/**/*,public/js/**/*}'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          strip-hash: "\\b\\w{20}\\."

When preactjs/compressed-size-action tries to install dependencies I get this error:

npm WARN prepare removing existing node_modules/ before installation
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/select2/select2.git
npm ERR! 
npm ERR! Warning: Permanently added the RSA host key for IP address '140.82.112.3' to the list of known hosts.
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR! 

npm seems to be trying to connect to GitHub via SSH, which presumably doesn’t work because there are no SSH keys in my workflow. I don’t think it’s a bug with npm because I tried to reproduce it and can’t. I suppose it could be a bug with this specific action but I’ve looked through the code and there’s nothing out of the ordinary in it that would seem like it would cause npm/Git to try to connect to GitHub via SSH.

It feels like there’s an issue with my workflow or maybe Github Actions but it’s such a simple workflow I can’t imagine what it might be.

Does anyone know what I’m missing or have any ideas of what I could try? :pray:t3:

Hi @brandonweiss,

Glad to see you in Github Community Forum!
According to the error message, it could be a permission error. Please tried below options:

  1. Create a new secret based on a personal access token, use the secret instead of GITHUB_TOKEN for the action.
  2. Is the PR created from fork repository? Please try internal PR firstly(in one repository).

If the issue persists, it’s recommended to share your repo/sample repo for further investigation.

Thanks

2 Likes

Thanks for your help! The repository the action is being run on is not a fork, it’s just a normal, private repository. Unfortunately I can’t share it, but I did share the action YAML.

I understand what the error means… what I don’t understand is why I’m getting that error.

As for using a different token, that doesn’t seem like the right solution. First, I’d be shimming a personal access token into a workflow on a repository in an organization. Second, this personal access token would, I think, have much broader privileges than the provided token (privileges which the action should not need). Third, reading the code of the action I don’t think a different token would even work. The action is just using the token to interact with the pull request (like leaving a comment on it). Maybe I’m misunderstanding how this all works, but the action is failing with this error before it ever gets to the point where it actually uses the token.

Without that particular dependency in my package.json, the workflow and action would work. So while it certainly could be an issue with the action, it feels more like it’s a problem with the workflow, or maybe some underlying bug with GitHub Actions itself?

Hi @brandonweiss,

I followed your code and create own repository, make it private, create an PR, the workflow completed without any problems. Please check my dynamic image:

I recommend to check the code, eg: package.json, package-lock.json, workflow yaml…etc for any code issues.

Thanks.