Docs: using a GitHub Action from another private repository

[francisfuzz]

I think it would be great to update our README to showcase how to use a GitHub Action from another private repository.

As of actions/checkout@v2-beta, it is possible to checkout a different private repository:

https://github.com/actions/checkout#checkout-a-different-private-repository

If the just-cloned private repository is a Docker container action containing a Dockerfile, action metadata file, and entrypoint, it's possible to run it since uses syntax supports citing actions in the same repository as the workflow:

https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-using-action-in-the-same-repository-as-the-workflow

Example:

name: CI

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2-beta
      with:
        # Private version of https://github.com/actions/hello-world-docker-action
        repository: USER/private-hello-world-docker-action
        ref: refs/tags/v1
        token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT to clone that private repo
    - name: Run the private action
      uses: ./
      with:
        who-to-greet: "Mona the Octocat"

If the team is open to getting this documented, I'm happy to cut a PR. ✌️

[ericsciple]

@chrispat for thoughts.

This is very interesting.

Would this page on help.github.com would be a better place to document the product scenario? This repo is just about the checkout action.

Do we have an ETA for first class support for private-actions?

Although the proposal does enable the scenario, I also wonder how prominently should we advertise this two-step workaround as a solution?

It makes me wonder whether a good first class solution would be to token as a sibiling to uses. For example:

- uses: USER/private-hello-world-docker-action@v1
  token: ${{ secrets.GitHub_PAT }}

...on the other hand i also worry about extra concept of token at that level. What is the correct long term solution? Scopes on the job token? Or something else?

[chrispat]

That is a side effect but also something that could be accomplished before this update. I don't think it really belongs in this repo. Perhaps we can look at a location in the help docs or perhaps a community post on this work around.

[francisfuzz]

Eric, Chris: thanks for your feedback! I'll noodle on this a bit more and talk with our colleagues internally to see where we can field this workaround. Cheers!

[robinjhector]

Thanks for the documentation!
Are there any concrete plans to support private actions natively in GH Actions?

[missedone]

same here, looking for native support for private actions, to be able to share the action in the organization for better reusability.

[haokanga]

Hi @francisfuzz, what is your decision on how/where to address the workaround using checkout to enable GitHub Action from another private repository?

There has been an ongoing discussion in the community about this concern.
https://github.community/t/github-action-action-in-private-repository/16063/28?u=haokanga

[francisfuzz]

@haokanga - Hello! Thanks for raising the question here. I opened an internal issue for our documentation team to review, though I can't speak to when GitHub Help will be updated with those instructions.

As far as looking for native support for running GitHub Actions in other private repositories, I'm personally not able to speak to that. The best way to surface any support for that feature would be to our product team via this form:

https://support.github.com/contact/feedback

Sorry I couldn't be of more help here, though I do hope the approach posed here and in that thread are beneficial in the meantime!

[groundfloorwebb]

Thanks for the documentation @francisfuzz , i've been trying to figure out the best way to go about this and this seems like a solid solution. I like how github actions makes ci flows nice and composable, but the lack of support for abstraction into private repos is a real flaw at the moment when managing multiple codebases.

[stefanbuck]

This feature has been added to the roadmap github/roadmap#74

[rpgeddam]

and has also removed from the Q1-2021 milestone :(

[lgmorand]

yup and not even Q2 or Q3. that's really a bold move to postpone so far in the future after being planned for months :'(

[shreyaspurohit]

i am surprised this is not yet supported. For a lot of orgs with private repo's this is going to be useful. I am hopeful that it comes back on a near roadmap.

[RicardoJarree]

Is this only going to be a Github Enterprise feature now? Looking at the roadmap issue it seems that they are only going to be adding this feature for GitHub Enterprise users which is very disappointing. Has anyone used this on GitHub Enterprise as it was due for last quarter.

[timharris777]

Found this option in the ui under repos in our org that have .github/workflows folder.

However, trying this out it doesn't seem to work for referencing actions. It only works for reusable workflows. Is this by design? Other in the community are also confused about this setting: https://github.community/t/github-action-action-in-private-repository/16063/76?u=timharris777

[herereadthis]

@timharris777 how did you get to that option in the UI?

[timharris777]

@timharris777 how did you get to that option in the UI?

It only shows if the repo has GitHub actions workflows. Without a .GitHub/workflows folder with proper workflows the option does not seem to be available. It's in repo settings >> actions. Scroll to the bottom.

[ghost]

Since it's unclear here, this is still not implemented. Hopefully we see it soon, imo it's a critical need for most enterprises that do not wish to rely on third party actions (due to security concerns) and also do not wish to publish their internal actions.

[genisd]

+1 we really need this too 😢
Preferrably via pre-built images that get pulled from a private repo (as opposed to rebuilding the action every time)

[timharris777]

This is now supported. I tested and was able to share actions workflows from internal repos with a private org or enterprise. Here is the latest announcement related to it. https://github.blog/changelog/2022-01-21-share-github-actions-within-your-enterprise/

[kuhnroyal]

I am able to share composite action from internal repos same as workflows.

[gnanderson]

enterprise only tier, for this? 😑

[robinjhector]

enterprise only tier, for this? 😑

Yeah, I was also surprised. I've been waiting for this feature for a while.

[RayBB]

This is now GA but seems to be enterprise only still
https://github.blog/changelog/2022-03-04-sharing-github-actions-within-your-enterprise-is-now-ga/

[eriweb]

Do I understand correctly that this is only for Enterprise server?
We have enterprise cloud but I cannot see the 'Access' part under Settings -> Actions

[dataviruset]

Also it seems the repository where the reusable workflow is stored needs to be internal rather than private. And this setting is only available if the organization is part of an Enterprise Account, just being on the enterprise plan isn't enough. And Enterprise Accounts are only available for those paying with invoice rather than credit card. Sigh...
https://docs.github.com/en/enterprise-cloud@latest/admin/overview/creating-an-enterprise-account

[WoodyWoodsta]

Want to post some swear-words but that wouldn't be allowed here.

Why on earth they've created this support crevice with actions is beyond me. The picture is currently:

• Open source: public action

Massive support gap, spanning indie developers, small-medium paying organisations and enterprise plan subscribers

• Enterprise accounts: internal action

What exactly were they thinking? Are they trying to scare away half of their customers? Albeit, that's exactly something Microsoft would do.