actions
Submodules checkout "repository not found" error without PAT
I'm trying to use this action to checkout a private repo which has multiple other private repos as submodules, they're all from the same github organization. All the submodules work fine when interacting with them locally or through github UI. The problem is when running the workflow on github actions after registering all submodules to their paths when it tries to start to clone them it returns "remote: Repository not found." for every submodule we have.
Searching for this problem I've found people saying to use a PAT from a user like in the commented line below, even though that is definitely something I'd like to avoid for a company solution I've tried it and this results in failing to checkout to the primary repo with the error "remote: Write access to repository not granted." even though I'm an admin in the organization, have access to all the repos in it and have given the PAT all read and write repository permissions.
Used config for job:
unit-tests:
needs: check-branch
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# token: ${{ secrets.PIPELINE_PAT }}
submodules: 'recursive'
# persist-credentials: false
Tried to give explicit permission for the workflow to read repos but same error. Tried to use the "persist-credentials: false" and "true" options but same error as without it. Already checked .gitmodules and all the repos are using correct HTTPS URLs in the format:
[submodule "packages/test"]
path = packages/test
url = https://github.com/Org/Test.git
What am I missing here?
Got it to work with a Classic Personal Access Token instead of a Fine-grained one but this is more of a workaround than a fix really, I don't like the idea of a workflow that will be used by my whole company to depend on my own PAT. Why isn't the GITHUB_TOKEN enough for this functionality even with express permission?
Having the same issue, on some repositories I have no problem with others yes but I could not figure out why
We're currently bumping up against this for our self-hosted runner too.
Edit: A colleague has just managed to get it working. He generated a new fine-grained token and added the 'contents read' and 'metadata' scope. He then added this as a repository secret and passed it in as the token to the checkout action. This works good enough for us.
To answer your question:
Why isn't the
GITHUB_TOKENenough for this functionality even with express permission?
https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The
GITHUB_TOKENsecret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see Permissions for theGITHUB_TOKEN.
In short, it's a design feature. Different repositories owned by a given organization aren't guaranteed to be equally trusted.
That said, the error message is indeed lousy. (I'm here because I'm looking into one of the related failure cases, but I've decided this isn't the right issue.)
I'd be inclined to change the documentation in the README to explicitly indicate that they can only be private github repositories if a PAT or github user's ssh key is provided (and that you shouldn't use a github user's ssh key because that's a horrible idea) in this block: https://github.com/actions/checkout/blob/85e6279cec87321a52edac9c87bce653a07cf6c2/README.md?plain=1#L110-L117
Fundamentally the general request (aside from my suggestion to improve the docs) is probably a duplicate of:
- #287
Facing the same issue, apart from using personal access token, is there any alternative? coz I can't use my PAT to run the workflow in org repository.
