Skip to content

Cannot checkout remote public repo that doesn't require auth #1364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
allwalte opened this issue May 30, 2023 · 1 comment
Open

Cannot checkout remote public repo that doesn't require auth #1364

allwalte opened this issue May 30, 2023 · 1 comment

Comments

@allwalte
Copy link

I'm trying to build an action that checks out both a repo from our GHE (the repo the workflow is in), as well as a public repo on github.com. For the latter, I'm using the "github-server-url" argument, which seems to be taking effect because in the initialization phase for this second checkout I see remote add origin https://github.com// (redactions mine, they're correct and visible in the pipeline :-) ). However, the checkout fails at the Retrieving the default branch name step, with "Bad credentials". I'm not specifying a PAT, it's my understanding that this repo is publicly accessible so I shouldn't need one. I can certainly view everything from a private browser, not logged in. And also, in the body of the job, if I do a git clone of that repo, it works. So I'm not certain what's missing to make the checkout step work?

I brought this up here and it was suggested that perhaps the problem was that an auth header was being explicitly set by the checkout action, but our auth would not work on that remote repo. So I tried to look into how to not send that auth and found this comment in another issue - "If you don't want actions/checkout to set the extra header, you can set persist-credentials to false."

However, I tried that, and the header is still there. In that same issue, someone else mentions the same thing at the bottom - #181 (comment)

In the ADR it says that even though this header is added, "Additional public remotes also just work." That's not what I'm experiencing though, unless there's something I'm missing.
@lindbergmarriott
Copy link

It looks to me like the action code respects the persist-credentials setting when generating extra headers for submodules, and also for SSH configuration, but it is ignored and will still create an Authorization Basic header using the token for the main repo when using HTTP access even with that flag set to false. That basic auth then fails on the public GitHub (unsurprisingly). The git commands issued by the action work otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@allwalte @lindbergmarriott