Problem with action/chekout another private repo, PAT not working

[mfn]

Hi,

I’ve a job in repo_a which also needs a checkout of repo_b.

Both are private repositories within the same organization (call it “the_org”).

I followed allt the guides: https://github.com/actions/checkout#Checkout-multiple-repos-private and there’s also https://github.community/t5/GitHub-Actions/Best-way-to-clone-a-private-repo-during-script-run-of-private/m-p/20221 but none of this works.

This is the job definition:

- name: Checkout code  
uses: actions/checkout@v2

name: Checkout repo_b

uses: actions/checkout@v2

with:

repository: the_org/repo_b

token: ${{ secrets.PAT_CHECKOUT_REPO_B }}

path: repo_b

I made double sure that the secret is there, that it’s named correctly, etc.

I always end up with this error

Run actions/checkout@v2  
with:  
repository: the\_org/repo\_b  
path: repo\_b  
persist-credentials: true  
clean: true  
fetch-depth: 1  
lfs: false  
env:  
cache-key: cache-v1  
extensions: bcmath, curl, fpm, gd, intl, mbstring, pgsql, xml, zip  
ini-values: memory\_limit=-1  
Added matchers: 'checkout-git'. Problem matchers scan action output for known warning or error strings and report these inline.  
Syncing repository: the\_org/repo\_b  
Working directory is '/home/runner/work/repo\_a/repo\_a/repo\_b'  
/usr/bin/git version  
git version 2.25.0  
/usr/bin/git init /home/runner/work/repo\_a/repo\_a/repo\_b  
Initialized empty Git repository in /home/runner/work/repo\_a/repo\_a/repo\_b/.git/  
/usr/bin/git remote add origin [https://github.com/the\_org/repo\_b](https://github.com/the_org/repo_b)  
/usr/bin/git config --local gc.auto 0  
/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader  
/usr/bin/git config --local http.[https://github.com/.extraheader](https://github.com/.extraheader) AUTHORIZATION: basic \*\*\*  
/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/master:refs/remotes/origin/master  
##[error]fatal: could not read Username for '[https://github.com](https://github.com)': terminal prompts disabled  
The process '/usr/bin/git' failed with exit code 128  
Waiting 17 seconds before trying again  
/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/master:refs/remotes/origin/master  
##[error]fatal: could not read Username for '[https://github.com](https://github.com)': terminal prompts disabled  
The process '/usr/bin/git' failed with exit code 128  
Waiting 13 seconds before trying again  
/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/master:refs/remotes/origin/master  
##[error]fatal: could not read Username for '[https://github.com](https://github.com)': terminal prompts disabled  
Removed matchers: 'checkout-git'  
##[error]The process '/usr/bin/git' failed with exit code 128

I tried the PAT locally and it worked, though indeed locally I was asked interactively for a username; I entered mine and the PAT was accepted a the password.

Is there something I’m missing?

thanks,

• Markus

[weide-zhou]

Hi @mfn ,

Your sample code works fine on my side, it can checkout repo_b without any problem.

I can reproduce your error if i delete the secrets in repo_a. 

Checkouterror.png922×512 40.3 KB

Hence, please check the secrets setting for repo_a, confirm secrets with correct PAT is created, and there’s not any typo, or you can create a new PAT and set it as secrets for testing.

Thanks.

[mfn]

You’re absolutely right, it works as documented / expected.

I’m officially an idiot because I was pre-testing stuff on separate repos first and simply added the secret to the wrong repository 💥

Curious question: I did try out the PAT on git cli locally to confirm it works. I was asked for a username there and the PAT instead of my password, it worked.

A github checkout action doesn’t have my “username”, why does it work there? Or: why is the username for a PAT not required? Or why is required for the https endpoint? :slight_smile:

Thanks!

[weide-zhou]

The config option ‘actions/checkout’ use is the .extraheader property which directly adds the auth header to the http requests in git and that is very likely what is being using to authenticate even if the action the user is trying to use specifies a PAT in the URL. That’s why user name is not needed. Thanks.

extraheader.png722×272 19.9 KB