Replies: 20 comments 14 replies
-
I also second this, it would be nice if we can define in the permissions configuration section which other repos that belongs to the same organization the GITHUB_TOKEN has access to. The use case for me is consuming shared terraform modules defined in a standalone repo, e.g. 1 repo for shared infra, several repos consuming the shared infra. As of now to get terraform init work correctly we have to go through several unpleasant hops like creating a PAT and updating git config. |
Beta Was this translation helpful? Give feedback.
-
+1 from me as well. My use case are:
|
Beta Was this translation helpful? Give feedback.
-
+1 looks like there is no option other than defining a an organization level secret as a token. |
Beta Was this translation helpful? Give feedback.
-
It would be nice to have a setting that is all private action runners can access all packages in this org. |
Beta Was this translation helpful? Give feedback.
-
I have just been able to solve the problem in our repo. There is an option in the package settings to give certain repositories within the same organization access from the Github Actions. https://github.com/orgs/XXorgaXX/packages/npm/XXrepoXX/settings. Additionally, I had to add the registry URL in the setup-node step:
|
Beta Was this translation helpful? Give feedback.
-
My colleagues and I maintain internal R packages in GitHub repos (not the same "GitHub Packages", which we don't use). We want to have an ecosystem of R packages that depend on one another, and the checks in https://github.com/r-lib/actions rely on the ability of every internal R package to be installed from every internal GitHub Actions repo. To make this work, every user needs to create their own personal access token, which is painful for experienced developers and utterly confusing for new users. @github, would you please allow |
Beta Was this translation helpful? Give feedback.
-
Same issue when i try to access terraform modules inside an action, Please @github any secure solution? |
Beta Was this translation helpful? Give feedback.
-
Yes pls! |
Beta Was this translation helpful? Give feedback.
-
+1, we run a git clone of another repo within the same org as part of one of our workflows and this would be way better than using a user-tied PAT |
Beta Was this translation helpful? Give feedback.
-
Have the same issue. Tried with another org and it works good. Magic |
Beta Was this translation helpful? Give feedback.
-
Yup. Necessary to avoid having long-lived PATs as secrets. |
Beta Was this translation helpful? Give feedback.
-
+1 would love to have this |
Beta Was this translation helpful? Give feedback.
-
+1 |
Beta Was this translation helpful? Give feedback.
-
I've developed an GitHub action to create on demand assess tokens, see https://github.com/qoomon/actions--access-token. You just need to install the GitHub Access Manager App, create (You could also self-host the GitHub App server part on you own) Usage example name: GitHub Actions Access Manager Example
on:
workflow_dispatch:
push:
branches:
- main
jobs:
checkout:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
repository: <TARGET_REPO>
permissions: |
contents: read
- uses: actions/checkout@v4
with:
repository: <TARGET_REPO>
token: ${{ steps.access-token.outputs.token }} |
Beta Was this translation helpful? Give feedback.
-
It would be very nice if GitHub would provide us with more elegant solution to tackle this issue, which for Golang developers is not at all uncommon. In my case the problem was running Our fix for this was using a GH app, we used create-github-app-token to get the token generated and this part worked without issues. - uses: actions/create-github-app-token@v1
id: app_token
with:
app-id: ${{ secrets.ORR_APP_ID }}
private-key: ${{ secrets.ORR_PRIVATE_KEY }}
owner: MyOrg Other problem that we hit was with below line in our Dockerfile: ENV GOPRIVATE=github.com/MyOrg/*
RUN git config --global url.https://[email protected]/.insteadOf https://github.com/ This was working fine with PAT token, but after switching to GH App token it started failing with an error:
It took me a whole day of reading different threads, reddits and SO posts to find a solution, and I am still not sure why it did work, and what was forcing the error to happen, but changing the RUN git config --global url.https://x-access-token:[email protected]/.insteadOf https://github.com/ I don't know if this will help anyone, but I thought it might be good to share the experience as it is related, and if somebody out there knows why this happened to me please do enlighten me 😸 |
Beta Was this translation helpful? Give feedback.
-
+1 we need this feature also. |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Product Feedback
Body
Hello,
It appears that the
GITHUB_TOKEN
secret that is available in Github Actions environments does not have the ability to be configured to read private repositories within the same organization. The only workaround right now is to create permissive PATs that allow this. It seems strange that a PAT is required to read a repository, but not a private package in the github package repository.Should this be a feature request on the permissions available to GITHUB_TOKEN?
Beta Was this translation helpful? Give feedback.
All reactions