GH App Permissions - other than Meta?

[alokshenoy]

Is there minimum permissions required for the GH App, apart from the permission to read the Contents of the target repo?

I have this workflow setup:

on:
  push:
    branches:
      - testing-app-token-generator

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo A
        uses: actions/checkout@v4

      - name: Generate GitHub App Token
        id: app_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.TOKEN_GENERATOR_APP_ID }}
          private-key: ${{ secrets.TOKEN_GENERATOR_APP_PRIVATE_KEY }}

      - name: Debug Token Output
        run: |
          echo "Token Length: ${#GITHUB_TOKEN}"
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          architecture: "x64"

      - name: Configure Git to Use GitHub Token
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          git config --global url.https://${GITHUB_TOKEN}@github.com/.insteadOf https://github.com/
          git config --global credential.helper store


      - name: Install internal-project (Private Repo)
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          pip install git+https://${GITHUB_TOKEN}@github.com/OrgName/internal-project.git

      - name: Install dependencies
        run: pip install -e .

The error I get is No such device or address.

Collecting git+https://****@github.com/OrgName/internal-project.git
  Cloning https://****@github.com/OrgName/internal-project.git to /tmp/pip-req-build-ecm4ocoz
  Running command git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz
  fatal: could not read Password for 'https://***@github.com': No such device or address
  error: subprocess-exited-with-error
  
  × git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz did not run successfully.
  │ exit code: 128
  ╰─> See above for output.
  
  note: This error originates from a subprocess, and is likely not a problem with pip.

Notice:  A new release of pip is available: 25.0 -> 25.0.1
Notice:  To update, run: pip install --upgrade pip
error: subprocess-exited-with-error

× git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz did not run successfully.
│ exit code: 128
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.
Error: Process completed with exit code 1.```

[gr2m]

It depends on what you want to do with it. I assume for git clones you will need the contents:read permission

[alokshenoy]

That's weird. I have this permission enabled for the app. Contents and Meta - both are enabled. And the app is installed across all the repos.

[gr2m]

Ah I think there is actually a different format you need to use with installation access tokens in order to use it for git operations

instead of ${GITHUB_TOKEN}@github.com it's x-access-token:${GITHUB_TOKEN}@github.com

See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation

Your app must have the "Contents" repository permission. You can then use the installation access token as the HTTP password. Replace TOKEN with the installation access token: git clone https://x-access-token:TOKEN@github.com/owner/repo.git.

Can you confirm that works? WE should document it in our README

[alokshenoy]

Hey, yeah - I found that couple of days ago, and tried that out.. however, I still get the same error. 😓

[gr2m]

Okay ... next step would be to reproduce the problem with a minimal test case

Can you

1. Register a new GitHub App
2. Install it on a test repository
3. Setup a minimal workflow that reproduces above problem?

If you can reproduce it that way, I can fork it and use own app credentials, and use that to digg more into what's up