Checking out private repository

[stell]

I don't get this to work. I have a private repo I need to checkout and use in another private repo of mine.
So inside the workflow I'm doing this:

  - name: Checkout small private repo
    uses: actions/checkout@v2.3.4
    with:
      repository: name/smallprivaterepo         
      path: build/

Also added token: ${{ secrets.REPO_ACCESS_TOKEN }} but getting Retrieving the default branch name. Bad credentials.

What is going wrong?

[dhamo-pk]

You need to add token to checkout the private repo with correct permissions.

How to create PAT with checkout permissions to checkout a private repository ?
Create a personal access token (PAT) with the repo scope. You can do this by going to your GitHub profile settings, selecting "Developer settings", then "Personal access tokens", and clicking "Generate new token". Make sure to copy the token value as it will not be displayed again.

- name: Checkout private repository
        uses: actions/checkout@v2
        with:
          repository: username/private-repo-name
          ref: main
          token: ${{ secrets.PAT }}

[arnodunstatter]

But that gives access to all personal private repositories via that token. I'm trying to use the fine-grained tokens to avoid this pitfall, but despite having given it read and write access to Actions and Workflows, and giving it read-only access to Metadata, I continue to get The process 'C:\Program Files\Git\bin\git.exe' failed with exit code 128 and remote: Write access to repository not granted.

[k00ni]

For anyone who is stumbling about this issue, deploy keys saved my day. They might not for everyone, but in my case we need a tool in different repositories inside the same organization, but don't want personal accounts to be required for auth/access.

Situation

Repository A      <======      Repository B
############
runs workflow, 
in which Repo B
is cloned and used. 

Steps to accomplish what you need

1. Create a SSH key pair (public and private key), for instance with: ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
2. do not use a password (more later)
3. Go to Repository B > Settings > Deploy Keys > Add deploy key

4. Use a meaningful title such as Access from Repository A
5. Copy the content of the public key file (ends with .pub) into the Key field
6. Decide if write access is required in the final workflow (usually its not) > Save
7. Switch to Repository A > Settings > Secrets and variables > Actions > Repository secrets (middle)

8. click "New repository secret" > set meaningful name (later required inside the workflow file, e.g. SSH_PRIVATE_KEY) > copy the content of the private key file into the Secret field
9. Save
10. Switch to the workflow file inside Repository A

Example workflow file with a checkout of repository B: (note: please make sure you use the latest versions of each component used)

name: Checkout Repository B

on: [push]

jobs:
  checkout-repo-b:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repository A
      uses: actions/checkout@v3

    - name: Setup SSH Key
      uses: webfactory/ssh-agent@v0.9.1
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

    - name: Checkout Repository B
      run: |
        git clone git@github.com:ORGANISATION/REPOSITORY_B.git repository-b

About the no-password thing: if you set a password, you have to provide it during the workflow which IMHO defeats the purpose of this approach. The following error will appear if a password-protected SSH key pair ist being used:

Starting ssh-agent
SSH_AUTH_SOCK=/tmp/.../agent.2472
SSH_AGENT_PID=24[7]
Adding private key(s) to agent
Error: Command failed: ssh-add -
Enter passphrase for (stdin): 
Enter passphrase for (stdin):