Feature Request: Use GitHub App to checkout

[alec-pinson]

We are unable to create service/bot accounts within our Enterprise.
We would really like the option to be able to use a GitHub app for authentication.

I created an example of how this would work below:-

      - uses: actions/checkout@v2
        with:
          repository: <org>/github-actions
          github_app_id: ${{ secrets.APP_ID }}
          github_app_key: ${{ secrets.APP_KEY }}
          path: .github/actions

This is our current workaround but we would prefer to remove the generate token step

      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_KEY }}

      - name: Checkout action
        uses: actions/checkout@v2
        with:
          repository: <org>/github-actions
          token: ${{ steps.generate_token.outputs.token }}
          path: .github/actions

[kousu]

We're using Github Organizations, but not GitHub Enterprise. As far as I can tell, there's no such thing as Service Accounts on github.com anymore. Is that true? The only reference I see to them on the docs currently are here, which is

1. Only rendered under "Enterprise Cloud" (so, probably not supported at all on the public site)
2. Says "To retain access", as if service accounts are even being deprecated even on Enterprise sites

Does anyone know if they got phased out this year?

PATs are fine for personal projects, and maybe service accounts (if they exist?) are fine for big corporate ones, but for projects in the middle (+ enterprise accounts if service accounts have been phased out?), I really agree with this

It seems inappropriate for a CI job to use a PAT. If I leave the organization, the workflow will just start failing.

So your workaround is very helpful to me at the moment :). Thank you for sharing it @alec-pinson.

I think what Github is expecting people who need to have workflows trigger workflows to migrate to Reusable Workflows. I got that working but found it takes a significant amount of extra code to handle triggering each process and at least a few echo '::set-output name=KEY::value's to finagle everything, which is a step backwards IMO. I'm going to migrate to tibdex/github-app-token now, and also put my vote in for this feature to be integrated directly into actions/checkout.

[loganvolkers]

Looks like there is a PR from 2020 that implements this functionality: #220

[bakwc]

Any progress here?

[Jojoooo1]

any new on this ?

[vixus0]

For people who also came across this issue, the official way of doing this seems to be covered here: https://github.com/actions/create-github-app-token#use-app-token-with-actionscheckout

[anxo-outeiral]

For people who also came across this issue, the official way of doing this seems to be covered here: https://github.com/actions/create-github-app-token#use-app-token-with-actionscheckout

Thanks a lot @vixus0 . It works perfectly!

I found this issue after searching for a lot of information to be able to download other private repositories from a certain GitHub Actions pipeline from our Enterprise/Organization. With this indicated actions function, it has worked perfectly for me.

My idea was not to use a PAT (which is the only option that allows this actions https://github.com/actions/checkout#checkout-multiple-repos-private). Therefore, the only available and safe option was to use a Github App.

Let me share with you another URL (https://dev.to/dtinth/authenticating-as-a-github-app-in-a-github-actions-workflow-27co) that I found during this research process, and that helped me reach this issue.