What permissions does a fine-grained token need in order to access a private repository for the checkout action? #1796
Replies: 3 comments
-
I made a token that had read on Contents and Metadata and I was able to checkout another private repository with no problem. I didn't read in your initial description that you actually gave it access to Contents so I wasn't sure if you'd done that initially or not. I also use this running on an ubuntu-latest runner, whereas I see yours is Windows, though I would imagine that doesn't have any actual impact. |
Beta Was this translation helpful? Give feedback.
-
I encountered the same issue. It would be appreciated if the guidance is written in the official document of this repo. |
Beta Was this translation helpful? Give feedback.
-
TL;DR - you need read access to "Contents" and "Metadata" for all submodules AND the repository in which the GitHub action is running.
Hope this is helpful. |
Beta Was this translation helpful? Give feedback.
-
From within a workflow I'm trying to perform the checkout action to clone a private repository other than that which contains the workflow (i.e. the workflow is within repository A, but I'm trying to clone repository B, both of which are private and within the same organization).
Since the secondary repository is private I understand "${{ github.token }} is scoped to the current repository, so if [I] want to checkout a different repository that is private [I] will need to provide [my] own PAT" as mentioned here.
I understand I have two options:
According to the documentation on managing your personal access tokens "GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible."
I tried to do this, but received an error which directed me to the Get a Repository header in the Rest API documentation, which says very simply:
The fine-grained token must have the following permission set: "Metadata" repository permissions (read)
so I remade the token with access to that repository and with the metadata having read only access.Still no dice, now I get an error saying:
So then I made a new token and gave this one read access to metadata, and read and write access to both actions and workflows, but I just get the same error.
I was able to figure out a work around: I made my token with permissions as closely resembling those which are given to the default GITHUB_TOKEN. While this works for now, I would still like to know the minimal permissions necessary to make use of the checkout action.
Questions:
Beta Was this translation helpful? Give feedback.
All reactions