portainer icon indicating copy to clipboard operation
portainer copied to clipboard
verified publisher icon portainer

GitHub fine grained access tokens stopped working

Open ascl00 opened this issue 2 months ago • 7 comments

Before you start please confirm the following.

Problem Description

This was working, but stopped, and I'm not sure when. In the last 30 days my token expired, and I updated it and it was working but logged in today and tried to create a new stack and it was not working. I updated to portioner 2.33.2 LTS thinking maybe this will help, but it does not.

Unfortunately it's unclear to me how to debug this usefully.

From the portainer logs I see this:

2025/10/29 03:57AM ERR github.com/portainer/portainer-ee/api/scheduler/scheduler.go:125 > job returned an error, it will be rescheduled | error="failed to get credential by credential ID. Error: object not found inside the database (bucket=git_credentials, key=1)"
2025/10/29 03:57AM DBG github.com/portainer/portainer-ee/api/http/security/bouncer.go:423 > HTTP error | error="authentication required: invalid credentials" msg="Git returned an error for listing refs" status_code=500

Using a curl command, the token does seem to work, ie

curl -H 'Authorization: token <snip>' https://raw.githubusercontent.com/ascl00/portainer-compose/refs/head
s/main/beszel-compose.yml

successfully pulls the yaml file.

This particular GitHub repo is private, and the token has "Read access to code and metadata" (which the curl command seems to confirm.

Expected Behavior

GitHub to be readable.

Actual Behavior

GitHub private repo access fails with an authentication error.

Steps to Reproduce

  1. Create Stack
  2. Select saved git credentials
  3. Enter Repository URL (why oh why isn't the URL saved with the credentials?)
  4. see error: Authentication required: invalid credentials

Portainer logs or screenshots

2025/10/29 03:57AM ERR github.com/portainer/portainer-ee/api/scheduler/scheduler.go:125 > job returned an error, it will be rescheduled | error="failed to get credential by credential ID. Error: object not found inside the database (bucket=git_credentials, key=1)"
2025/10/29 03:57AM DBG github.com/portainer/portainer-ee/api/http/security/bouncer.go:423 > HTTP error | error="authentication required: invalid credentials" msg="Git returned an error for listing refs" status_code=500

Portainer version

2.33.2

Portainer Edition

Business Edition (BE/EE) with 5NF / 3NF license

Platform and Version

TrueNAS 25.04.1

OS and Architecture

TrueNAS 25.04.1 x86-64

Browser

Safari

What command did you use to deploy Portainer?

Additional Information

No response

ascl00 avatar Oct 29 '25 04:10 ascl00

Hello @ascl00, just confirming did you update your git token in Portainer?

Nick-Portainer avatar Oct 29 '25 21:10 Nick-Portainer

Yes, under my profile "Git Credentials". It doesn't display the key, and there is no "update" date, only a "create" date, so it's hard to verify if it has correctly saved the key. I did also completely delete the entry and re-create it.

EDIT: For the sake of completeness I have created new and tested both fine grained access tokens and a legacy token, and neither work.

To ensure I'm not doing something entirely stupid, I also used the git command line client with the very same legacy and fine grained token successfully..

ascl00 avatar Oct 30 '25 22:10 ascl00

Aaaand I have a solution-ish. I deleted the credentials and started again.

If I save the credential via the stack, as a basic auth rather than a token, it works. I'm sure this isn't intended behaviour, but at least I have a solution for now.

EDIT: There is clearly still a bug here. If you need me to provide more information or test something, please let me know.

ascl00 avatar Oct 31 '25 02:10 ascl00

Same here. New Portainer, new repo, and new token. Doesn't work when Auth is set to “Token.” If you switch to “Basic” (thanks @ascl00), it works perfectly.

ButlerMiles avatar Nov 01 '25 11:11 ButlerMiles

I can confirme the same behavior with version 2.33.3 LTS.

mdbreger avatar Nov 06 '25 10:11 mdbreger

@ascl00 Basic or Token depends on what your provider supports, some require basic and some require token. Your inital issue appears that your credentials were missing from your Portainer Database and refreshing it like you did is the reason this was resolved.

Nick-Portainer avatar Nov 06 '25 21:11 Nick-Portainer

Maybe this is an issue with the token.

I noticed, that L can`t create a fine-grained token with access to private repos in github. Always when I update the token and double check the result, it is set to "only public repositories"

Radon8472 avatar Nov 27 '25 08:11 Radon8472