36

I have 2 private GitHub repositories (say A and B) in the organization (say ORG). Repository A has repository B in requirements.txt:

-e git+git@github.com:ORG/B.git#egg=B

And I have the following workflow for A (in .github/workflows/test.yml):

name: Python package

on: push

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v1

    - name: Install requirements
      run: |
        pip install -r requirements.txt

    - name: Test with pytest
      run: |
        pytest ./tests

As B is private, it fails on installing it.

Is it possible to install B while testing A in this workflow if they are in the same organization? How?

Yevhen Kuzmovych
  • 7,193
  • 5
  • 23
  • 40
  • This answer to a slightly different question looks very promising to me: *[How to clone multiple private repositories using GitHub Actions?](https://stackoverflow.com/a/68255302/192373)*. – Alex Cohn Nov 23 '21 at 08:20

5 Answers5

20

Since access tokens are bound to an account and have write access to all its private repos, it's a very bad solution.

Instead, use deploy keys.

Deploy keys

Deploy keys are simply SSH keys that you can use to clone a repo.

  1. Create a new SSH key pair on your computer
  2. Put the public key in the private dependency repo's Deploy keys
  3. Put the private key in the app repo's Actions secrets
  4. Delete the keys from your computer

secrets

Once it's set, you can set the private key in the GitHub Action's SSH Agent. There's no need to import a third-party GitHub Action, a 2-liner will suffice.

eval `ssh-agent -s`
ssh-add - <<< '${{ secrets.PRIVATE_SSH_KEY }}'
pip install -r requirements.txt

I found that ssh-add command here.

Nato Boram
  • 2,837
  • 4
  • 22
  • 48
  • 2
    Deploy keys were also the most convenient choice in my scenario but, for extra convenience, I managed the loading into the agent through the webfactory/ssh-agent action: https://github.com/webfactory/ssh-agent. – Dato Dec 25 '21 at 01:29
15

I did this way!

- uses: actions/checkout@v1  
  with:
    repository: organization_name/repo_name
    token: ${{ secrets.ACCESS_TOKEN }}

You need to provide a valid token, you can generate it following this guide

Yevhen Kuzmovych
  • 7,193
  • 5
  • 23
  • 40
Duvan
  • 283
  • 2
  • 5
  • 3
    Do you mean uses two checkouts, first for repo A and second (this one) for repo B? – northtree Jul 09 '20 at 03:33
  • 4
    I wouldn't want my access token stored in the companies secrets as it might be accessed by several people. – Yevhen Kuzmovych Sep 29 '20 at 07:56
  • Were you able to figure it out eventually? @northtree – Erfan Feb 06 '21 at 23:21
  • @Erfan Attached my answer. https://stackoverflow.com/a/66094537/482899 – northtree Feb 08 '21 at 00:28
  • I think that is the way to do it. I've noticed that you can add token to organization secrets (or rather your organization admin can) which you can use in actions. Haven't tested this yet – Yevhen Kuzmovych Apr 27 '21 at 14:11
  • Please do not use this solution for organizational accounts. It is suboptimal as it requires you to store your credentials to access it. The [solution provided below by Nato Boram](https://stackoverflow.com/a/70283191/12403182) is much better, as it uses deploy keys instead. – A Merii Feb 09 '22 at 15:39
4

Either use an SSH key with no passphrase to access repo B, or create an access token for that repo and then use the access token as your password to access that repo over HTTPS: https://USERNAME:TOKEN@github.com/ORG/B.git.

rmunn
  • 32,398
  • 9
  • 70
  • 103
  • 7
    I wouldn't want my access token stored in companies repo (or in "secrets" of the repo) as it is available to many people. There is `secrets.GITHUB_TOKEN` in actions by default that I tried to use as you suggested with HTTPS (`-e git+https://my_username:${{secrets.GITHUB_TOKEN}}@github.com/ORG/B.git#egg=B`) - it does not work (with `remote: Repository not found.`). – Yevhen Kuzmovych Aug 23 '19 at 08:38
  • I was thinking you would store the token in the [Github secrets vault](https://developer.github.com/actions/managing-workflows/storing-secrets/). Do note that the docs say "Every repository includes a GITHUB_TOKEN secret, but it's not available to an action by default. You must add the GITHUB_TOKEN secret to each action that requires access." So that might be the issue. BTW, if you end up having to store secrets in a repo, [Blackbox](https://github.com/StackExchange/blackbox) (created by Stack Exchange, BTW) is good; it uses GPG to encrypt your secrets so you can control access. – rmunn Aug 23 '19 at 09:50
  • And I don't know how to "add the GITHUB_TOKEN secret to each action that requires access" because I'm still in the waiting list for the beta, so I can't test things. I can only read the documentation and answer based on what I've understood from the docs so far, and my knowledge isn't yet complete. – rmunn Aug 23 '19 at 09:51
  • I believe you would need to add it as env variable if it is needed as an env variable (`env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}`). I'm using it directly from secrets so it's not the problem. Just to note: there is an older [workflow-actions system](https://developer.github.com/actions/), couldn't find how people solve this problem either. And thank you for your time! :) – Yevhen Kuzmovych Aug 23 '19 at 10:50
  • 1
    this doesn't work anymore since github disabled username/password authentication: ```remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead.``` – nont Sep 24 '21 at 13:02
  • There is no such thing as an "access token for that repo". An access token can read EVERYTHING you have access to. Do you contract for two companies? That token you set up for one of them allows access to the other company's repos. – Roman Starkov Nov 15 '21 at 20:28
2

Instead of check out twice, all you need is provided the TOKEN for pip to access repo B.

- name: Install requirements
  run: |
    git config --global url."https://${{ secrets.ACESS_TOKEN }}@github".insteadOf https://github
    pip install -r requirements.txt
Yevhen Kuzmovych
  • 7,193
  • 5
  • 23
  • 40
northtree
  • 7,471
  • 10
  • 55
  • 75
1

I added this line

git+https://YOUR_TOKEN_HERE@github.com/ORG/REPO_NAME.git@master#egg=REPO_NAME

to my requirements.txt and it worked. But as other people mentioned, your token will be exposed to anyone having access to this repository. It is probably best to use a secret in your repository.

Philippe Remy
  • 2,617
  • 4
  • 20
  • 32