Document how to clone with a PAT as a read-only action

[Gby56]

I'm struggling to understand how I could simply clone repositories in an action, without using deploy keys because they have to be added in each repository to work.
PAT permissions are really not user-friendly, and I'd just like to have a simple read:repository permission to have the right to clone a repository's code.
I'm hitting the bug for cloning with a token defined: remote: Write access to repository not granted. but I don't care about write access to that repository, with my PAT.
Is this something possible with a PAT that can only clone and not push ?

[Gby56]

FYI: the documentation simply states:
" # We recommend using a service account with the least permissions necessary. Also
# when generating a new PAT, select the least scopes necessary."
This is extremely vague, good PAT configurations should be given for common use cases, and I expect pure read-only cloning to be a big one

[Gby56]

it looks like it requires to give the full "repo" scope, and not just repo:status, repo_deployment, public_repo, repo:invite, security_events ?

[matheo-lucak]

Hello,

I'm facing the exact same issue.

I want to give the least permission (Read only on public and private repository) for an action using a PAT.
But it only works with the full repo scope which gives a lot more.

Thanks

[mifi]

After searching a bit I found that a basic minimal setup would be to use the same set of (restricted) permissions as the GITHUB_TOKEN gives.

It means we can create a "fine-grained personal access token" with the content and metadata permissions.

[twistedpair]

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

[mifi]

@mifi , is that content: read and metadata: read?

correct. that's what worked for me. I only do a checkout though, nothing else fancy

[NorseGaud]

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

I even tried with full read + write for every permission and I still get that error. Are you by chance specifying a specific ref? and is the repo private?

[mifi]

Clarification: I'm using this for a submodule which is a private repo.

$ git submodule
COMMIT_HASH_REDACTED assets (heads/main)

Here's my workflow:

name: Test

on:
  push:

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

      - uses: actions/setup-node@v3
        with:
          node-version: 16
          cache: 'yarn'

      - run: yarn install --frozen-lockfile
      - ...

[NorseGaud]

I was able to get around this problem with classic tokens with "repo" permission. Unsure what's wrong with Fine-grained, but they are technically "Beta".

[twistedpair]

+1 on @NorseGaud 's situation.

I cannot get a checkout of a private repo as a submodule using FG PATs. Works fine with classic PATs and "Repo" permission.

I wonder if this could have to do with the additional Organization settings recently added to allow/block/require approval for FG PATs in organizations? I set FG PATs to be allowed in my org, but I still get these "remote: Write access to repository not granted. " errors when trying to do read operations with this action.

[igor-zmitrovich]

Same issue as @NorseGaud and @twistedpair have. Not able to get a checkout of private organization's repo despite having permission in FG PAT.

[hermanbanken]

https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token/66156992#66156992

Apparently you need to set the username to oauth2. For me it isn't working, but maybe this works for you.

[fkromer]

Today I've created and configured a fine grained PAT on a GitHub organization level successfully. The only required permissions are read access to code and metadata. This issue seems to be resolved.

Setting the token value as GH_PAT in the repository secrets does the job.

      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

[codezninja]

So just leaving this here. I had the same issue when trying to checkout a private org repo in my workflow. I was using the latest actions/checkout@v4. I create a FG token on my user and it was throwing the write error and it only had read access to content & metadata.

I then found out that at the org level settings I had to enable FG permissions cause by default FG tokens do not have access to org repos.

This way I was able to create an FG for that organization under the resources with just content and metadata read-only permissions

This is the comment that helped me get there https://github.com/orgs/community/discussions/40910#discussioncomment-4454056