Accessing another repository with GitHub CLI in GitHub Actions

Asked 10/2, 2022 at 16:12 Answered 8/3 at 17:53

I'm trying to access another github repo with gh cli as a part of a workflow. I am using the gh release view command as below

run: |
    echo "::set-output name=description::$(gh release view --repo <owner/repo>)"
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The workflow is failing with 404, I understand it's because the repo is private, even though both repositories have the same owner. When authenticated locally, the command works just fine.

Is there any way to access that repo in the workflow?

Lezlie answered 10/2, 2022 at 16:12 Comment(1)

Did you try using a Personal Access Token (from an account that has access to the private repo) instead of the GITHUB_TOKEN? The default token from Github Actions only has a specific scope of permissions, and probably not the one you need here. – Perfoliate 10/2, 2022 at 17:37

The GITHUB_TOKEN is scoped only to the triggering repository. If you need to access any resources in other repositories or in other accounts then you need to pass a token with a wider scope to the checkout step. This can be a GitHub App token, a Personal Access Token etc.

Store the token in the Secrets/Actions and pass it to the checkout task's token parameter.

Alternatively you can pass in an ssh key through the ssh-key parameter.

- uses: actions/checkout@v2
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
    repository: ''

    # Personal access token (PAT) used to fetch the repository. The PAT is configured
    # with the local git config, which enables your scripts to run authenticated git
    # commands. The post-job step removes the PAT.
    #
    # We recommend using a service account with the least permissions necessary. Also
    # when generating a new PAT, select the least scopes necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    #
    # Default: ${{ github.token }}
    token: ''

    # SSH key used to fetch the repository. The SSH key is configured with the local
    # git config, which enables your scripts to run authenticated git commands. The
    # post-job step removes the SSH key.
    #
    # We recommend using a service account with the least permissions necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    ssh-key: ''

The same applies to calling resources in other repositories through an API or GitHub CLI.

Osteitis answered 10/2, 2022 at 18:6 Comment(7)

A follow up question. I have a several private repositories under the same organization in Github. Lets call them REPO-A, REPO-B and REPO-C. REPO-A has a dependency to install from REPO-B and REPO-C. I can't add the same deploy key on both REPO-B and REPO-C, so I would need to use two separate SSH-keys to access both repositories. How can this be done? – Guileful 30/1, 2023 at 12:23

Since each checkout runs in its own step, you could register 3 ssh keys as 3 secrets and pass each to the respective key. A normal user's SSH key has all the same permissions that that user has, if you create a 'machine user' (a normal user in GitHub you use for automation), you can grant it the right permissions and generate an ssh key. – Osteitis 30/1, 2023 at 17:24

The second checkout seems to be overwrite the content of the previous repos checkout. Is it possible to set a working directory? – Aircrewman 14/6, 2023 at 17:2

@IftikharAli, sure, add path: "foldername". – Osteitis 14/6, 2023 at 17:8

Thanks @jessehouwing. That worked. It creates folder Repo1/Repo2. Is it possible to go one level up? I haven't tried ../ – Aircrewman 14/6, 2023 at 17:18

../folderName is not allowed. Getting this error: Repository path '/home/ubuntu/actions-runner/_work/repo1/foldername' is not under '/home/ubuntu/actions-runner/_work/repo1/repo1' – Aircrewman 14/6, 2023 at 17:25

Sed a folder on your 1st checkout task too. That way each repo is checked out in a subfolder under the workflow root. – Osteitis 14/6, 2023 at 18:9

Just in case someone still needs it.

I came up with a similar problem and I was able to solve it with the help of the webfactory/ssh-agent action which can be found on the GitHub actions marketplace.

I only needed to configure a new SSH key without a passphrase, and then follow the instructions in the action's description, which are pretty straightforward. That action even allows you to pull content from multiple private repositories.

Typewrite answered 8/3 at 17:53 Comment(0)

Recommended topics

Hot tags