docs
docs copied to clipboard
github
Using gh in an workflow seems to require setting GH_TOKEN
Code of Conduct
- [X] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
What part(s) of the article would you like to see updated?
When I try the suggested workflows I get an error as gh seems to need the GITHUB_TOKEN to be set as GH_TOKEN.
The following works:
- name: Approve a PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
Additional information
The repo in question is private and within an organization.
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
Part of the error message shown in the GitHub workflow log when omitting the GH_TOKEN env var:
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
env:
GH_TOKEN: ${{ github.token }}
Error: Process completed with exit code 4.
@cmwilson21 - this requires review by a SME so I've added the relevant label π
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you @mkutz for raising this with us, and @stefanscheidt for confirming the docs are currently incorrect β¨ If you (@mkutz) or someone else in the community are happy to raise a PR that fixes this, it would be great!
For information, the Dependabot team mentioned this article: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
A stale label has been added to this issue becuase it has been open for 60 days with no activity. To keep this issue open, add a comment within 3 days.
I ran into this issue today and note that the error message directly contradicts the documentation here https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows
@jsdalton Thank you for reporting this issue! You or anyone else is welcome to open a PR to fix this β¨ I'll reopen this issue - it looks like it was closed by stalebot
Hi @mkutz, @mchammer01, and @nguyenalex836! GH_TOKEN and GITHUB_TOKEN are both respected by GitHub CLI (see CLI docs). In many cases, both will work. But as GITHUB_TOKEN is subject to scoping limitations which may cause conflicts, GH_TOKEN was introduced and given higher precedence to ensure that the proper scopes are present (see CLI closed issue #1229).
This is a tricky one, as both versions of the env are technically valid. So, I wonder if thereβs a solution that avoids changing every relevant instance of GITHUB_TOKEN in the docs, and simply addresses the relationship between the two.
π Here would be a great place to do that, as pointed out by @jsdalton.
If this seems like a good solution, Iβm happy to make the fix and open a PR!
@mark-mxwl π - thanks so much for offering to help here. I think that raising a PR to update Using GitHub CLI in workflows sounds like a good plan.
For this part specifically:
This is a tricky one, as both versions of the env are technically valid. So, I wonder if thereβs a solution that avoids changing every relevant instance of GITHUB_TOKEN in the docs, and simply addresses the relationship between the two.
Roping in @SiaraMist and @skedwards88 as I am not sure what their preference would be.
+1 on this issue.
I'm using the following code with a custom PAT:
env:
GH_TOKEN: ${{ secrets.WORKFLOW }}
And receiving the same error message:
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
env:
GH_TOKEN: ${{ github.token }}
Thanks everyone for your input! I think users often copy a workflow without reading all of the caveats/reading Using GitHub CLI in workflows. With that in mind, it probably makes sense to update all places to use GH_TOKEN. To do that, you can either:
- Just update Using GitHub CLI in workflows to use
GH_TOKENinstead ofGITHUB_TOKEN, and open an issue stating that we should also update the other places where we set theGITHUB_TOKENvariable for a GitHub CLI command
OR
- Update all places where we set the
GITHUB_TOKENvariable for a GitHub CLI command to set aGH_TOKENvariable instead.
Thx @skedwards88! Considering the options, I think it'd be best to do this one go and avoid the hassle of having to revisit later. I'm happy to make changes to all instances that need updating (last time I checked there were 33--so not too bad). I'll have a PR up shortly π
This is still occurring for me on a workflow even though im setting the GH_TOKEN env:
env:
GH_TOKEN: ${{ secrets.PAT }}
@surgiie Thank you for letting us know π !
At this point, this question would best be handled by our support team. Please reach out to them for assistance β¨
If there's anything in the documents that you have suggestions for updating, please feel free to open an issue π
Hi @surgiie,
I'm stuck with the same issue, I suppose that the error_log is just wrong in our case, while the GH_TOKEN env is clearly set.
I could not find any other resource related to this. Did you ever find what the issue was ?
The exact log, for others searching is:
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
env:
GH_TOKEN: ${{ github.token }}
Error: Process completed with exit code 4.
Hi @surgiie,
I'm stuck with the same issue, I suppose that the error_log is just wrong in our case, while the
GH_TOKENenv is clearly set.I could not find any other resource related to this. Did you ever find what the issue was ?
The exact log, for others searching is:
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example: env: GH_TOKEN: ${{ github.token }} Error: Process completed with exit code 4.
For me, it was due to the fact that the workflow was triggered by dependabot which doesnt have access to secrets so ${{ secrets.PAT_TOKEN }} is empty. If this is the case for you, you can read more about it here:
https://github.com/dependabot/dependabot-core/issues/3253
Stuck with the same issue as PAC token is not access for workflow, anyone can provide some help? Paste the issue content here https://github.com/cli/cli/issues/9253:
This is how I workflow looks like https://github.com/InftyAI/Awesome-LLMOps/blob/main/.github/workflows/kube-actions.yaml, so I have three jobs here:
- on-new-push
- on-new-comment
- on-pr-merge
I set an PAT and make it an org secret. However, only the on-new-comment can work, the other two jobs will report error like:
shell: /usr/bin/bash -e {0}
env:
GH_TOKEN:
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
env:
GH_TOKEN: ${{ github.token }}
Thanks!
@kerthcet Thank you for letting us know π !
At this point, this question would best be handled by our support team. Please reach out to them for assistance β¨
If there's anything in the documents that you have suggestions for updating, please feel free to open an issue π