GITHUB_TOKEN does not have permissions to read other private repos in the same organization

[jabalsad]

Select Topic Area

Product Feedback

Body

Hello,

It appears that the GITHUB_TOKEN secret that is available in Github Actions environments does not have the ability to be configured to read private repositories within the same organization. The only workaround right now is to create permissive PATs that allow this. It seems strange that a PAT is required to read a repository, but not a private package in the github package repository.

Should this be a feature request on the permissions available to GITHUB_TOKEN?

[ilmax]

I also second this, it would be nice if we can define in the permissions configuration section which other repos that belongs to the same organization the GITHUB_TOKEN has access to.

The use case for me is consuming shared terraform modules defined in a standalone repo, e.g. 1 repo for shared infra, several repos consuming the shared infra. As of now to get terraform init work correctly we have to go through several unpleasant hops like creating a PAT and updating git config.
It would be nice if we could get this working OOB with a simple permissions change in the workflow and probably a flag on a repo level to allow actions running from other repos to interact with it

[qoomon]

probably the closest solution => https://github.com/orgs/community/discussions/46566#discussioncomment-9638833

[dennysis]

It not working properly , it still has an error

[asbjornu]

+1 from me as well. My use case are:

1. Having a central key repository which is accessed by other repositories' GitHub Actions during builds and releases to Apple TestFlight and App Store (for use with Fastlane specifically).
2. Private repositories as Git submodules. The workaround of creating a GitHub App which has read-access to the required repositories as proposed in Support private repositories and private submodules actions/checkout#287 (comment) works, but feels like a massive hack.

[qoomon]

Maybe my action could be useful for your use case https://github.com/qoomon/actions--access-token

[prabhat-sc]

+1 looks like there is no option other than defining a an organization level secret as a token.

[probitdavid]

It would be nice to have a setting that is all private action runners can access all packages in this org.
This would remove the need for PAT as a secret and also make dependabot updates MUCH simpler as there would be no need to add tokens to that world too

[babu-izhan-5001312]

Hi, I am working on adding dependabot in my repos, but the github actions are failing as it does not have access to other private repos. How are you currently giving the github action that was triggered by dependabot access to private repos ?

[KT-Anja]

I have just been able to solve the problem in our repo. There is an option in the package settings to give certain repositories within the same organization access from the Github Actions. https://github.com/orgs/XXorgaXX/packages/npm/XXrepoXX/settings.

Additionally, I had to add the registry URL in the setup-node step:

uses: actions/setup-node@v3
    with:
        registry-url: https://npm.pkg.github.com 
        scope: "@XYZ"

[giner]

This only works for GitHub Packages which belong to other repositories but not other repositories themselves. Also it doesn't work for Maven repositories (not related to question in the topic though).

[wlandau]

It appears that the GITHUB_TOKEN secret that is available in Github Actions environments does not have the ability to be configured to read private repositories within the same organization. The only workaround right now is to create permissive PATs that allow this. It seems strange that a PAT is required to read a repository, but not a private package in the github package repository.

My colleagues and I maintain internal R packages in GitHub repos (not the same "GitHub Packages", which we don't use). We want to have an ecosystem of R packages that depend on one another, and the checks in https://github.com/r-lib/actions rely on the ability of every internal R package to be installed from every internal GitHub Actions repo. To make this work, every user needs to create their own personal access token, which is painful for experienced developers and utterly confusing for new users.

@github, would you please allow GITHUB_TOKEN to have read access to internal repositories within the same organization? This is absolutely critical for what so many of us are trying to do (related: https://github.com/orgs/community/discussions/46566), and it will be more secure than PATs because GITHUB_TOKEN is a temporary one-time token.

[wlandau]

An update: my organization somehow created an org-level secret that members can successfully use as if it were a PAT for the purpose of cloning other internal repositories inside GitHub Actions workflows. I will try to find out how they did that and then report back.

[wlandau]

Could be a while before I hear back, but let's remember here that GITHUB_TOKEN would be much more secure than a custom org-level token because the former is short-lived and gets a new value for every workflow run.

[MC-Dave]

I second this. It would not only be convenient to have, but it would also allow for a more secure development and deployment workflow.

For example, python's pip allows for ENV variable expansion in requirements.txt files. In order to install from a private github repo, an access token must be provided in the requirements.txt file in the form of an ENV variable. This flow would work seamlessly in github actions with the GITHUB_TOKEN IFF one could give org-level read permissions to said token.

[vgpastor]

Same issue when i try to access terraform modules inside an action, terraform init can't access private repos in the same organization.

Please @github any secure solution?

[air3ijai]

Did you try to use a solution with GitHub Apps from comment above?

[landsman]

Yes pls!

[alona-shevliakova]

+1

[mvarchdev]

+1!

[nassorh]

+1

[cvicenti]

+1, we run a git clone of another repo within the same org as part of one of our workflows and this would be way better than using a user-tied PAT

[dspv]

Have the same issue. Tried with another org and it works good. Magic

[earlye]

Yup. Necessary to avoid having long-lived PATs as secrets.

[danielbressan]

+1 would love to have this

[nagarrianharshit]

+1
My use case is to trigger workflow present in another repository from the current repository workflow.
Like reusing the workflows, having a different repository for workflows and reusing them in other repos.
Right now I will have to provide PAT token for calling the workflow, can't use GITHUB_TOKEN as the repos are different.

[air3ijai]

Can that be solved by the GitHub App - GitHub Apps overview?

1. Create App in your account or org
2. Install that app in all involved repositories
3. Automate token generation using actions like tibdex/github-app-token@v2
4. Use generated token in your workflow

[hervenivon]

Yes, I achieved this last week following those steps.

[qoomon]

I've developed an GitHub action to create on demand assess tokens, see https://github.com/qoomon/actions--access-token.
With these tokens you can clone private repositories if access was granted.

You just need to install the GitHub Access Manager App, create .github/access-token.yaml files and you are good to go.

(You could also self-host the GitHub App server part on you own)

Usage example

name: GitHub Actions Access Manager Example
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  checkout:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write

    steps:
      - uses: qoomon/actions--access-token@v3
        id: access-token
        with:
          repository: <TARGET_REPO>
          permissions: |
            contents: read

      - uses: actions/checkout@v4
        with:
          repository: <TARGET_REPO>
          token: ${{ steps.access-token.outputs.token }}

[qoomon]

@nagarrianharshit this action would also solve your problem, because GitHub app tokens can also trigger workflows.
If you want to trigger a workflow by a git commit you can do this bei combining qoomon/actions--access-token and qoomon/actions--create-commit or just using the actions/checkout action with the token from qoomon/actions--access-token

[breno-ca]

+1

[MirzaMerdovic]

It would be very nice if GitHub would provide us with more elegant solution to tackle this issue, which for Golang developers is not at all uncommon.

In my case the problem was running go mod download which was pulling several private repositories.
Our original solution was using a PAT which worked, but as we all are aware using PAT is more of a hack then a proper solution unless you are a single developer.

Our fix for this was using a GH app, we used create-github-app-token to get the token generated and this part worked without issues.

  - uses: actions/create-github-app-token@v1
    id: app_token
    with:
      app-id: ${{ secrets.ORR_APP_ID }}
      private-key: ${{ secrets.ORR_PRIVATE_KEY }}
      owner: MyOrg

Other problem that we hit was with below line in our Dockerfile:

ENV GOPRIVATE=github.com/MyOrg/*
RUN git config --global url.https://[email protected]/.insteadOf https://github.com/

This was working fine with PAT token, but after switching to GH App token it started failing with an error:

#12 1.203 go: github.com/MyOrg/[email protected]: reading github.com/MyOrg/MyRepo/go.mod at revision v0.12.5: git ls-remote -q origin in /go/pkg/mod/cache/vcs/0a9a276b8d8825f26877bf1eb254790355782b22d62a11f8836fd92a8ed6d8c5: exit status 128:
#12 1.203 	fatal: could not read Password for 'https://***@github.com': terminal prompts disabled
#12 ERROR: process "/bin/sh -c go mod download -x" did not complete successfully: exit code: 1

It took me a whole day of reading different threads, reddits and SO posts to find a solution, and I am still not sure why it did work, and what was forcing the error to happen, but changing the git config line to this:

RUN git config --global url.https://x-access-token:[email protected]/.insteadOf https://github.com/

I don't know if this will help anyone, but I thought it might be good to share the experience as it is related, and if somebody out there knows why this happened to me please do enlighten me 😸

[qoomon]

have a look at https://github.com/orgs/community/discussions/46566#discussioncomment-9638833 for a more elegant solution

[MirzaMerdovic]

Thanks, your action looks nice, but as GH offers an official app for token generation I think it makes sense to stick with it.
On the other hand intent of my post was to point towards the git config problem that I have encountered and that other people might get as well.

[brobits]

+1 we need this feature also.