How to checkout a private submodule from a github action?

[jaredly]

Apparently the $GITHUB_TOKEN only has permissions for the current repo (which makes sense) – is there a way to allow access to another private repo?

It’s currently failing:

Submodule 'secrets' ([email protected]:{}/{}.git) registered for path 'secrets'
Cloning into '/home/runner/work/{}/{}/secrets'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights

and the repository exists.

fatal: clone of '[email protected]:{}/{}.git' into submodule path '/home/runner/work/{}/{}/secrets' failed

Failed to clone 'secrets'. Retry scheduled

[oldskool]

You should be able to set a custom token when using the checkout action. So, if you have a token that you know will have access to both your current repo as well as the submodule(s), you can run a step like:

- uses: actions/checkout@v1
  with:
    token: ${{ secrets.ACCESS_TOKEN }}
    submodules: true

Which would use a secret called “ACCESS_TOKEN” (which you should then create in the repository that runs your workflow) to pull the repositories.

[jaredly]

Cool yeah that makes sense. I only wish there were a way to generate a custom token with restricted access to only a couple of repos 😕 I guess I’ll probably make a bot account with limited permissions and go with that.

Thanks!

[Stanzilla]

Sadly they broke that with actions@v2 so beware when updating! You now have to use something like this if you want to keep using SSH URLs instead of HTTPS:

steps:
      - uses: actions/checkout@v2
      - name: Checkout submodules
        uses: actions/checkout@v2
        with:
          repository: yourPrivateOrg/yourPrivateRepo
          token: ${{ secrets.ACCESS_TOKEN }}
          path: yourPrivateRepo

[yurist38]

I've just had a few hours of debugging and found out that THE TOKEN MUST HAVE AN EXPIRATION DATE! Otherwise, it won't work, be careful.

[nobelwong]

Legend!

[dpmcgabriel]

How to generete the token btw?

[yurist38]

You need to go to Settings -> Developer Settings -> Personal access tokens and then either Fine-grained tokens or Tokens (classic) (I still use classic ones mostly)

[asbjornu]

As per actions/checkout#287 (comment), it is now possible to use actions/create-github-app-token to create a token usable by actions/checkout as such:

jobs:
  test-submodules:
    runs-on: ubuntu-latest
    steps:
    - name: Get token from Github App
      uses: actions/create-github-app-token@v1
      id: app_token
      with:
        app-id: ${{ secrets.APP_ID }}
        private-key: ${{ secrets.APP_PEM }}
        # owner is required, otherwise the creds will fail the checkout step
        owner: ${{ github.repository_owner }}

    - name: Checkout from GitHub
      uses: actions/checkout@v4
      with:
        submodules: true
        token: ${{ steps.app_token.outputs.token }}

It feels a bit over the top to create an entire GitHub App for this purpose, but it works and is more robust than a personal access token.