Running Code from Private Repo and Publishing Output to Pulic Repo Help

Background: I have a private code repo that generates a CSV and I would like to publish/push that CSV to a public code repo using Workflows/Actions on a schedule.

Problem: Once I get the CSV generated and into the public repository and try to push. I am getting a error of unable to access “repo” denied to github-actions[bot]. Any help will be appreciated, I tried to google a solution or work around.

Below is the sample code:

# This is a basic workflow to help you get started with Actions

name: FooBar

# Controls when the workflow will run
on:
  # Triggers the workflow on push 
  [push]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "foo"
  foo:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      - name: Checkout Private Repo
        uses: actions/checkout@v2
        with:
          path: main

      - name: Checkout Public Repo
        uses: actions/checkout@v2
        with:
          repository: public-repo
          path: data

      - name: Run CSV Script and Move File to Data Path
        run: |
          cd main
          python -m pip install -r requirements.txt
          python main.py

      - name: Checkin Public Repo
        run: |
          cd data
          git config user.name github-actions
          git config user.email github-actions@github.com
          git add .
          git commit -m "generated"
          git push     

This means you’re using the GITHUB_TOKEN for authorization when accessing the public repository. For fetching that’s no problem (because a public repo can be fetched by anyone), but pushing won’t work because the GITHUB_TOKEN is scoped to your private repository.

To push to the public repository you’ll have to create a PAT that grants access for pushing to your public repository (repo scope), store it as a secret for your private repository, and provide that secret to actions/checkout as its token option.

As much I don’t like to create a PAT that allows access to all my public repositories, this works greatly. Just to lock it down, I need to look into how to repo scope.

I meant the repo scope for tokens, see: Scopes for OAuth Apps - GitHub Docs

I don’t think there’s a way to limit it to a specific repository, unfortunately.