checkout icon indicating copy to clipboard operation
checkout copied to clipboard
verified publisher icon actions

Duplicate header: "Authorization"

Open petlitskiy opened this issue 2 months ago • 18 comments

Faced when using actions/checkout@main:

  /usr/bin/git remote prune origin
  remote: Duplicate header: "Authorization"
  fatal: unable to access 'https://github.com/***/****/': The requested URL returned error: 400
  Error: The process '/usr/bin/git' failed with exit code 128

petlitskiy avatar Nov 05 '25 12:11 petlitskiy

@petlitskiy are you using a self-hosted runner or a hosted runner?

ericsciple avatar Nov 05 '25 18:11 ericsciple

@petlitskiy or do you have multiple checkout steps for the same job?

ericsciple avatar Nov 05 '25 18:11 ericsciple

@ericsciple I'm also seeing this error on self-hosted runners without any duplicate checkouts.

We had to use the following environment variables to get things working again:

GIT_AUTHORIZATION_BEARER: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BRANCH: main

Which according to the docs should not need to be set

mgetzflex avatar Nov 11 '25 13:11 mgetzflex

@mgetzflex do you also have the same issue with actions/checkout@v5 ? Or just actions/checkout@main ? I would assume both would fail, but good to verify since the authorization logic recently changed in main.

Do you have authorization configured in the global or system git config? You can check by queuing a job to the same runner like the following:

jobs:
  test:
    runs-on: your-runner-label
    steps:
      - run: git config --list --global || true
      - run: git config --list --system || true

ericsciple avatar Nov 12 '25 05:11 ericsciple

@ericsciple, the issue seems to stem from this change: https://github.com/actions/checkout/pull/2286

I'm also seeing the problem on the GitHub (non-standalone) runners in jobs with multiple and single checkout actions.

totus avatar Nov 21 '25 10:11 totus

I confirm the issue with 6.0.0. Had to revert to 5.0.1 to fix the issue.

kdeldycke avatar Nov 21 '25 13:11 kdeldycke

@totus @kdeldycke can you help me understand how to reproduce the issue? Can you share a small self-contained example?

ericsciple avatar Nov 21 '25 17:11 ericsciple

@kdeldycke in your case it looks like the action peter-evans/create-pull-request is adding an auth header, but doesn't know how to clean up the new actions/checkout v6 style auth configuration. Either that action would need to react, or you can set persist-credentials: false to actions/checkout.

ericsciple avatar Nov 21 '25 17:11 ericsciple

Related issue:

  • https://github.com/peter-evans/create-pull-request/issues/4228

ericsciple avatar Nov 21 '25 17:11 ericsciple

@ericsciple What would an appropriate (simple and stable) strategy be for actions like create-pull-request to use, where there is a need to temporarily run some number of git commands using different credentials? The persist-credentials: false workaround has an additional downside of breaking git commands that interact with the remote in other steps where having the default auth present is desired/expected.

eriksw avatar Nov 21 '25 23:11 eriksw

@kdeldycke in your case it looks like the action peter-evans/create-pull-request is adding an auth header, but doesn't know how to clean up the new actions/checkout v6 style auth configuration. Either that action would need to react, or you can set persist-credentials: false to actions/checkout.

@ericsciple can you expand on what "clean up" an action based on v5 would need to do, in order to be compatible with v6?

SJLC avatar Nov 21 '25 23:11 SJLC

@eriksw one option would be to temporarily remove the git config includeIf.gitdir keys where the value matches git-credentials-*.config. Here is an example where I ported v6-style to v5. Depending on your scenario, you may or may not need to worry about submodules.

A much simpler solution might be to temporarily move the files $RUNNER_TEMP/git-credentials-*.config to RUNNER_TEMP/git-credentials-*.config.bak. If I recall correctly, git simply ignores the config if the target file doesn't exist.

ericsciple avatar Nov 22 '25 06:11 ericsciple

@SJLC for full v6-style cleanup, refer the following PR:

  • https://github.com/actions/checkout/pull/2301

ericsciple avatar Nov 22 '25 06:11 ericsciple

We have the same problem here

  • https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/actions/runs/19595231368

laeubi avatar Nov 22 '25 13:11 laeubi

@laeubi please update to peter-evans/[email protected] or @v7

ericsciple avatar Nov 22 '25 20:11 ericsciple

Or @84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 plus Dependabot for both added robustness and security. @laeubi thumbs up for already doing that 👍

hartwork avatar Nov 22 '25 20:11 hartwork

@kdeldycke in your case it looks like the action peter-evans/create-pull-request is adding an auth header, but doesn't know how to clean up the new actions/checkout v6 style auth configuration. Either that action would need to react, or you can set persist-credentials: false to actions/checkout.

Thanks @ericsciple for looking into my workflows! You're too fast, I should have added more details about the peter-evans/create-pull-request incompatibility right away. 😅

I also realized you just fixed the issue upstream at https://github.com/peter-evans/create-pull-request/pull/4230 .

Anyway, it seems to fix the issue. Thanks! :)

kdeldycke avatar Nov 23 '25 04:11 kdeldycke

@kdeldycke thanks for confirming the fix!

ericsciple avatar Nov 23 '25 04:11 ericsciple