checkout icon indicating copy to clipboard operation
checkout copied to clipboard

Published 20 hours ago verified publisher icon actions

Document how to clone with a PAT as a read-only action

Open Gby56 opened this issue 2 years ago • 15 comments

I'm struggling to understand how I could simply clone repositories in an action, without using deploy keys because they have to be added in each repository to work. PAT permissions are really not user-friendly, and I'd just like to have a simple read:repository permission to have the right to clone a repository's code. I'm hitting the bug for cloning with a token defined: remote: Write access to repository not granted. but I don't care about write access to that repository, with my PAT. Is this something possible with a PAT that can only clone and not push ?

Gby56 avatar Apr 22 '22 15:04 Gby56

FYI: the documentation simply states: " # We recommend using a service account with the least permissions necessary. Also # when generating a new PAT, select the least scopes necessary." This is extremely vague, good PAT configurations should be given for common use cases, and I expect pure read-only cloning to be a big one

Gby56 avatar Apr 22 '22 15:04 Gby56

it looks like it requires to give the full "repo" scope, and not just repo:status, repo_deployment, public_repo, repo:invite, security_events ?

Gby56 avatar Apr 22 '22 16:04 Gby56

Hello,

I'm facing the exact same issue.

I want to give the least permission (Read only on public and private repository) for an action using a PAT. But it only works with the full repo scope which gives a lot more.

Thanks

matheo-lucak avatar Jun 07 '22 13:06 matheo-lucak

After searching a bit I found that a basic minimal setup would be to use the same set of (restricted) permissions as the GITHUB_TOKEN gives.

It means we can create a "fine-grained personal access token" with the content and metadata permissions.

mifi avatar Oct 25 '22 19:10 mifi

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

twistedpair avatar Oct 27 '22 13:10 twistedpair

@mifi , is that content: read and metadata: read?

correct. that's what worked for me. I only do a checkout though, nothing else fancy

mifi avatar Oct 27 '22 17:10 mifi

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

I even tried with full read + write for every permission and I still get that error. Are you by chance specifying a specific ref? and is the repo private?

NorseGaud avatar Nov 01 '22 21:11 NorseGaud

Clarification: I'm using this for a submodule which is a private repo.

$ git submodule
COMMIT_HASH_REDACTED assets (heads/main)

Here's my workflow:

name: Test

on:
  push:

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

      - uses: actions/setup-node@v3
        with:
          node-version: 16
          cache: 'yarn'

      - run: yarn install --frozen-lockfile
      - ...

mifi avatar Nov 02 '22 11:11 mifi

I was able to get around this problem with classic tokens with "repo" permission. Unsure what's wrong with Fine-grained, but they are technically "Beta".

NorseGaud avatar Nov 02 '22 12:11 NorseGaud

+1 on @NorseGaud 's situation.

I cannot get a checkout of a private repo as a submodule using FG PATs. Works fine with classic PATs and "Repo" permission.

I wonder if this could have to do with the additional Organization settings recently added to allow/block/require approval for FG PATs in organizations? I set FG PATs to be allowed in my org, but I still get these "remote: Write access to repository not granted. " errors when trying to do read operations with this action.

twistedpair avatar Nov 02 '22 12:11 twistedpair

Same issue as @NorseGaud and @twistedpair have. Not able to get a checkout of private organization's repo despite having permission in FG PAT.

igor-zmitrovich avatar Nov 10 '22 11:11 igor-zmitrovich

https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token/66156992#66156992

Apparently you need to set the username to oauth2. For me it isn't working, but maybe this works for you.

hermanbanken avatar Dec 08 '22 13:12 hermanbanken

Today I've created and configured a fine grained PAT on a GitHub organization level successfully. The only required permissions are read access to code and metadata. This issue seems to be resolved.

image

Setting the token value as GH_PAT in the repository secrets does the job.

      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

fkromer avatar Feb 23 '23 15:02 fkromer

So just leaving this here. I had the same issue when trying to checkout a private org repo in my workflow. I was using the latest actions/checkout@v4. I create a FG token on my user and it was throwing the write error and it only had read access to content & metadata.

I then found out that at the org level settings I had to enable FG permissions cause by default FG tokens do not have access to org repos.

This way I was able to create an FG for that organization under the resources with just content and metadata read-only permissions

This is the comment that helped me get there https://github.com/orgs/community/discussions/40910#discussioncomment-4454056

codezninja avatar Sep 06 '23 12:09 codezninja