FYI: the documentation simply states:
" # We recommend using a service account with the least permissions necessary. Also
# when generating a new PAT, select the least scopes necessary."
This is extremely vague, good PAT configurations should be given for common use cases, and I expect pure read-only cloning to be a big one

it looks like it requires to give the full "repo" scope, and not just repo:status, repo_deployment, public_repo, repo:invite, security_events ?

Hello,

I'm facing the exact same issue.

I want to give the least permission (Read only on public and private repository) for an action using a PAT.
But it only works with the full repo scope which gives a lot more.

Thanks

After searching a bit I found that a basic minimal setup would be to use the same set of (restricted) permissions as the GITHUB_TOKEN gives.

It means we can create a "fine-grained personal access token" with the content and metadata permissions.

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

@mifi , is that content: read and metadata: read?

correct. that's what worked for me. I only do a checkout though, nothing else fancy

@mifi , is that content: read and metadata: read?

I'm seeing the same problem with fine grained PATs and @actions/checkout@v3

When I use a FG PAT with content: read and metadata: read, and give the PAT's user read access to the given repo, I still see the remote: Write access to repository not granted. error in GitHub Actions.

Why do we need write access to do a read operation?

I even tried with full read + write for every permission and I still get that error. Are you by chance specifying a specific ref? and is the repo private?

Clarification: I'm using this for a submodule which is a private repo.

$ git submodule
COMMIT_HASH_REDACTED assets (heads/main)

Here's my workflow:

name: Test

on:
  push:

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

      - uses: actions/setup-node@v3
        with:
          node-version: 16
          cache: 'yarn'

      - run: yarn install --frozen-lockfile
      - ...

I was able to get around this problem with classic tokens with "repo" permission. Unsure what's wrong with Fine-grained, but they are technically "Beta".

+1 on @NorseGaud 's situation.

I cannot get a checkout of a private repo as a submodule using FG PATs. Works fine with classic PATs and "Repo" permission.

I wonder if this could have to do with the additional Organization settings recently added to allow/block/require approval for FG PATs in organizations? I set FG PATs to be allowed in my org, but I still get these "remote: Write access to repository not granted. " errors when trying to do read operations with this action.

Same issue as @NorseGaud and @twistedpair have. Not able to get a checkout of private organization's repo despite having permission in FG PAT.

https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token/66156992#66156992

Apparently you need to set the username to oauth2. For me it isn't working, but maybe this works for you.

Today I've created and configured a fine grained PAT on a GitHub organization level successfully. The only required permissions are read access to code and metadata. This issue seems to be resolved.

Setting the token value as GH_PAT in the repository secrets does the job.

      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.GH_PAT }}

So just leaving this here. I had the same issue when trying to checkout a private org repo in my workflow. I was using the latest actions/checkout@v4. I create a FG token on my user and it was throwing the write error and it only had read access to content & metadata.

I then found out that at the org level settings I had to enable FG permissions cause by default FG tokens do not have access to org repos.

This way I was able to create an FG for that organization under the resources with just content and metadata read-only permissions

This is the comment that helped me get there https://github.com/orgs/community/discussions/40910#discussioncomment-4454056

I came here because I have an org with two repos: A and B. B is a submodule of A, and I wanted to check it out within a Github Action that is triggered when I commit to A.

If you have this problem in 2024, here's what worked for me:

1. Ensure I had permissions to set PAT on the organization. This can be done under the /settings/personal-access-tokens menu within the organization's setting. Note that you must be an admin to enable PAT access.

2. Create a personal access token with select repository access to A and B. Provide it with read access for Contents and Metadata.

3. Save the PAT as a secret within A. I keyed it as EXAMPLE_PAT.

4. Set the token within GHA, for example:

   uses: actions/checkout@v4
   with:
       submodules: recursive
       token: ${{ secrets.EXAMPLE_PAT }}
   

+1 On this. It was really hard to find out how to do it. Docs really merit to be updated.

git clone https://<PAT>@github.com/username/repo.git can solve my problem.