Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

::error::Input required and not supplied: token #298

Closed
joanofdart opened this issue Jul 8, 2020 · 35 comments
Closed

::error::Input required and not supplied: token #298

joanofdart opened this issue Jul 8, 2020 · 35 comments

Comments

@joanofdart
Copy link

Hello everyone...
I'm trying to fetch another public repo and I've tried to put the TOKEN as explained... but even if I do, for some odd reason is still TELLING ME that the token is missing????? Sorry but I'm a bit stressed about this :/ perhaps I'm just being too dumb.

      - name: Checks out flutter
        uses: actions/checkout@v2
        with:
          repository: flutter/flutter
          token: ${{ github.token }}
          ref: refs/heads/master
          path: flutter

image

@ericsciple
Copy link
Contributor

Your inputs look fine to me.

What happens if you don't specify the token input at all?

      - name: Checks out flutter
        uses: actions/checkout@v2
        with:
          repository: flutter/flutter
          ref: refs/heads/master
          path: flutter

Either way should work... the default when not specified is ${{ github.token }}

@ubershmekel
Copy link

ubershmekel commented Jul 28, 2020

I'm getting

##[error]Input required and not supplied: token

From this workflow file:

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.head_ref }}
        token: ${{ secrets.UBERSHMEKEL_ALT_TOKEN }}

I think the problem is actually mentioned on GitHub's secrets page:

Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.

The "Learn more" links to this page that doesn't provide more information but repeats the message:
https://help.github.com/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

I found this discussion on the topic of forks getting some secrets access as "security by obscurity" https://github.community/t/make-secrets-available-to-builds-of-forks/16166/32

@TomasVotruba
Copy link

#[error]Input required and not supplied: token

I have the same problem. How did you solve it?

@TomasVotruba
Copy link

TomasVotruba commented Oct 28, 2020

So far I've found this workaround: google/gvisor@315c167


Another shorter workaround:
rectorphp/rector@2243a81

@felipecrs
Copy link

I started to have this issue in all the repositories which I set the token manually since yesterday or so. If I retrigger the build manually it works, also works sometimes automatically.

E.g. https://github.com/timonwong/vscode-shellcheck/runs/2077175092

This is not from fork, neither a pull request, so I wonder what's happening.

@devbucket
Copy link

We're encountering this issue too for almost a week now. It suddenly started without a change in our workflows.

@Xunnamius
Copy link

Xunnamius commented Mar 12, 2021

EDIT: nevermind, turns out it's by design: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

Landed here from a google search for "octokit input required and not supplied". Same issue as the previous two commenters, but I'm noticing this behavior in the https://github.com/actions/github-script action instead of checkout.

Error: Unhandled error: Error: Input required and not supplied: github-token

Maybe 5 or so days ago, I noticed my auto-merge jobs failing in this way when attempting to merge PRs from dependabot.

@devbucket
Copy link

It would be cool to get any feedback here. It isn't very pleasant to constantly have to restart the workflows.

@will-molloy
Copy link

Suddenly got this on my repos (auto merging dependabot PRs) which worked fine for 6+months.

@MannarAmuthan
Copy link

Working for me, after changed event type pull_request to pull_request_target.

refer:
https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

@pommelinho
Copy link

However i think just chaning the event type to pull_request_target is regarded as unsecure when you are using secrets in your workflow.
Refer: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

This would mean anyone forking the repo could steal secrets and do any sort of malicious actions. I guess for private repos this will not exist but for public repos it will.

So any other solutions here?

@felipecrs
Copy link

Changing to pull_request_target is not only unsecure, but it is also a mistake if the actions/checkout is not properly updated. See the last example at the https://securitylab.github.com/research/github-actions-preventing-pwn-requests/, right before the conclusion.

@pommelinho
Copy link

@felipecrs I understand . But when i do a explicit checkout via ${{ github.event.pull_request.head.sha }} itshould work, right?
As our repo is private and no forks can be done, this should be safe, right?

@felipecrs
Copy link

felipecrs commented Apr 13, 2021

Yes, right. But if your PRs don't come from forks, you were not supposed to need pull_request_target, except for pull requests coming from dependabot.

@ericsciple
Copy link
Contributor

ericsciple commented Apr 15, 2021

Fyi @TomasVotruba here is an even shorter workaround :) You can use the truthy behavior to fallback the built-in token

token: ${{ secrets.MY_TOKEN || github.token }}

@ericsciple
Copy link
Contributor

@felipecrs I looked at the run you linked, and it looks like it's because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I'm going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

domoritz added a commit to vega/vega-lite that referenced this issue May 10, 2021
@martin-thoma
Copy link

@ericsciple Could you please explain why that solves the issue? If github.token works, why don't we directly use token: ${{ github.token }}?

@jmclean-starburst
Copy link

jmclean-starburst commented Aug 2, 2021

Is this still an issue? I have the below that fails, even though the repository (viaduct-ai/kustomize-sops) is public

> act --job deploy --eventpath .github/_act/event_deploy_argocd.json                
[Deploy ArgoCD/deploy] 🚀  Start image=node:12-buster-slim
[Deploy ArgoCD/deploy]   🐳  docker run image=node:12-buster-slim platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -m 0777 -p /var/run/act] user=root
[Deploy ArgoCD/deploy] ⭐  Run Checkout KSOPS code
INFO[0001]   ☁  git clone 'https://github.com/actions/checkout' # ref=v2 
[Deploy ArgoCD/deploy]   🐳  docker cp src=/Users/alpha-wolf/.cache/act/actions-checkout@v2/ dst=/var/run/act/actions/actions-checkout@v2/
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -p /var/run/act/actions/actions-checkout@v2/] user=
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[node /var/run/act/actions/actions-checkout@v2/dist/index.js] user=
[Deploy ArgoCD/deploy]   ❓  ::save-state name=isPost,::true
[Deploy ArgoCD/deploy]   💬  ::debug::GITHUB_WORKSPACE = '/Users/alpha-wolf/dev/ego-ops'
[Deploy ArgoCD/deploy]   💬  ::debug::qualified repository = 'viaduct-ai/kustomize-sops'
[Deploy ArgoCD/deploy]   💬  ::debug::ref = 'ref/tags/v2.5.7'
[Deploy ArgoCD/deploy]   💬  ::debug::commit = 'undefined'
[Deploy ArgoCD/deploy]   💬  ::debug::clean = true
[Deploy ArgoCD/deploy]   💬  ::debug::fetch depth = 1
[Deploy ArgoCD/deploy]   💬  ::debug::lfs = false
[Deploy ArgoCD/deploy]   💬  ::debug::submodules = false
[Deploy ArgoCD/deploy]   💬  ::debug::recursive submodules = false
[Deploy ArgoCD/deploy]   ❗  ::error::Input required and not supplied: token
[Deploy ArgoCD/deploy]   ❌  Failure - Checkout KSOPS code
Error: exit with `FAILURE`: 1

Workflow:

name: Deploy ArgoCD
on:
  workflow_dispatch:
    inputs:
      environment:
        description: The environment to deploy ArgoCD to
        required: true
        default: dev
      region:
        description: The region to deploy ArgoCD to
        required: true
        default: us-east-2
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout KSOPS code
        uses: actions/checkout@v2
        with:
          repository: viaduct-ai/kustomize-sops
          ref: ref/tags/v2.5.7
          path: _ksops

FYI: I have done brew unlink act && brew install act --HEAD

@hamirmahal
Copy link

@felipecrs I looked at the run you linked, and it looks like it's because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I'm going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

I'm running into this issue in a private repository where a check is failing on pull requests opened by dependabot.

If I remove

        with:
          token: ${{ secrets.PAT_TOKEN }}

from

      - name: Checkout code
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.PAT_TOKEN }}

the workflow still fails.

What's the recommended approach on getting my workflow to run in my private repository, even if it's opened by dependabot?

Randsw added a commit to Randsw/kubeinfo that referenced this issue Oct 26, 2023
Remove TOKEN from checkout. see - actions/checkout#298
@cwong-archy
Copy link

I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.

Basically, if you are using reusable workflows you have to:

  1. Define your secret in your reusable workflow file
  2. Call the secret in your reusable workflow file
  3. Pass the secret from the caller workflow to the reusable workflow file using secrets keyword
  4. Enjoy!

hi @dtcMLOps can you elaborate on exactly how you got this working? our repos are private.

we have reusable-workflow as well and dependabot is failing on

Error: Input required and not supplied: token

our job -

jobs:
  terraform:
    uses: ./.github/workflows/reusable-workflow-terraform.yml
    with:
      cluster: preprod
    secrets: inherit

the reusable-workflow-terraform.yml -

jobs:
  terraform:
    name: "Terraform"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.TOKEN  }}

and this is where its failing us.

@codebydant
Copy link

Hi @cwong-archy are you defining the secret in the reusable workflow?

this is an example of how to define the secret in the reusable workflow
image

https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

@cwong-archy
Copy link

Hi @cwong-archy are you defining the secret in the reusable workflow?

this is an example of how to define the secret in the reusable workflow image

https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

@dtcMLOps oh. even though i inherit everything i still have to define it huh? this is what i have -

──── head -n 22 reusable-workflow-terraform.yml
name: reusable-workflow-terraform

on:
  workflow_call:
    inputs:
      cluster:
        description: "Cluster, name of the working directory"
        required: true
        type: string

permissions:
  id-token: write
  contents: read
  actions: read
  pull-requests: write

@codebydant
Copy link

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

@cwong-archy
Copy link

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻

@cwong-archy
Copy link

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻

@dtcMLOps thank you... it worked!!!

@ayushxx7
Copy link

In private organisation,
If you create a reusable workflow in Repo X, then for actions/checkout we can use github.token like so:

    steps:
    - name: Checkout code
      uses: actions/checkout@v2
      with:
        token: ${{ github.token }}

@Nosskirneh
Copy link

    steps:
      # Checks out the repository under $GITHUB_WORKSPACE
      -
        if: github.actor == 'dependabot[bot]'
        uses: actions/checkout@v3
        with:
          token: ${{ github.token }}
          submodules: recursive
      -
        if: github.actor != 'dependabot[bot]'
        uses: actions/checkout@v3
        with:
          token: ${{ secrets.GITHIB_ACTIONS_TOKEN }}
          submodules: recursive

works for my own and dependabot's pushes.

auto-submit bot pushed a commit to flutter/flutter that referenced this issue Jan 18, 2024
revision 01/17: instead of removing actions/checkout, keep actions/checkout but remove the `token` field and add `persist-credentials` field. tested with a [mirror script](https://github.com/XilaiZhang/miscellaneous-side-project/blob/master/.github/workflows/easy-cp.yml) and creates [expected pull request](#141730)

Issue: when running github actions, the [tokens not found error](actions/checkout#298) still happens( `Input required and not supplied: token`). We are not using fork PR or dependabot, and it's flaky when the well defined token isn't find in the inputs. We hit this error when invoking [market place actions/checkout](https://github.com/actions/checkout): [example failed run 1](https://github.com/flutter/flutter/actions/runs/7546108771/job/20543199801), [example failed run 2](https://github.com/flutter/flutter/actions/runs/7546141972/job/20543265842)

In this PR, Remove the dependency on marketplace actions  to make our workflow more reliable and less flaky.

other changes to remove actions/checkout dependency:
1. embedded token url for git push
Tried a number of ways and this is the only / best workaround I found to resolve [the notorious problem of pushing without ssh key](https://stackoverflow.com/questions/22147574/github-fatal-could-not-read-username-for-https-github-com-no-such-file-o). 
2. added back `--head`
`--head` is now needed to avoid [abort](https://github.com/XilaiZhang/miscellaneous-side-project/actions/runs/7548409479/job/20550397014)

Test: a [replicate of the actions file](https://github.com/XilaiZhang/miscellaneous-side-project/blob/master/.github/workflows/easy-cp.yml) is [tested](https://github.com/XilaiZhang/miscellaneous-side-project/actions/runs/7548448024/job/20550521341) on my personal repo, and it creates the [expected PR](#141647)
alexdelprete added a commit to alexdelprete/ha-abb-powerone-pvi-sunspec that referenced this issue Jan 27, 2024
alexdelprete added a commit to alexdelprete/ha-abb-powerone-pvi-sunspec that referenced this issue Jan 27, 2024
alexdelprete added a commit to alexdelprete/ha-abb-powerone-pvi-sunspec that referenced this issue Jan 27, 2024
@apurvdeodhar
Copy link

apurvdeodhar commented Feb 2, 2024

Hello everyone, for those

  1. Who are using act for local runs like @jmclean-starburst mentioned
  2. Still facing this problem, here's an update.

Here's how my .github/workflows/deployment.yml looks like.

name: CI/CD Pipeline

on:
  push:
    branches:
      - main

jobs:
  github-actions-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout psycopg2 Repository
        uses: actions/checkout@v4
        with:
          repository: jkehler/awslambda-psycopg2
          path: ./awslambda

As you notice the repository awslambda-psycopg2 is public, but based on the docs act provides

GitHub automatically provides a GITHUB_TOKEN secret when running workflows inside GitHub.

I understood that when your workflow runs in github actions it creates a token automatically on your user's behalf, so to work this locally I created a PAT with no access what so ever and passed it as a secret to act and now it works as expected 🥳

act -s GITHUB_TOKEN=$ACT_GITHUB_TOKEN

@mills-nick
Copy link

@apurvdeodhar
I can confirm that my act local run now works after adding the GITHUB_TOKEN secret parameter, even though I was using

      - name: Checkout Branch release/k8s_merged
        uses: actions/checkout@v4
        with:
          ref: ${{ env.TARGET_BRANCH }}
          ssh-key: ${{ secrets.SSH_KEY }}

act command:

act -P ubuntu-latest=-self-hosted -W .github/workflows/local-merge-from-master.yaml --container-architecture linux/amd64 -s GITHUB_TOKEN=$GITHUB_TOKEN

@ghost ghost mentioned this issue Apr 10, 2024
inkarkat added a commit to inkarkat/test that referenced this issue May 14, 2024
…and not supplied: token" when run in act

Apparently, we need a GitHub access token when running locally. I use a new Personal Access Token with read-only rights for that:
$ act -s GITHUB_TOKEN=ghp_... workflow_dispatch

Source: actions/checkout#298 (comment)
inkarkat added a commit to inkarkat/test that referenced this issue May 15, 2024
…and not supplied: token" when run in act

Apparently, we need a GitHub access token when running locally. I use a new Personal Access Token with read-only rights for that:
$ act -s GITHUB_TOKEN=ghp_... workflow_dispatch

Source: actions/checkout#298 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests