Skip to content

feat: add --source-token for authenticating private repo pulls#178

Merged
philip-gai merged 1 commit into
actions:mainfrom
philip-gai:pgai/source-token
Jun 23, 2026
Merged

feat: add --source-token for authenticating private repo pulls#178
philip-gai merged 1 commit into
actions:mainfrom
philip-gai:pgai/source-token

Conversation

@philip-gai

@philip-gai philip-gai commented Jun 23, 2026

Copy link
Copy Markdown
Member

What

Adds a --source-token flag to actions-sync pull (and sync) so private repositories can be pulled from the source instance. Without it, pulling a private repo fails because the clone/fetch is unauthenticated. Inspired by #162.

Why

actions-sync could only pull public repositories. Customers mirroring private actions from a source GitHub instance had no way to authenticate the pull. This flag accepts a personal access token or a GitHub App installation token (ghs_*) and uses it for the underlying git clone/fetch.

Changes

  • Add --source-token flag to the pull/sync commands, threaded as a typed transport.AuthMethod (built once at the entrypoint; nil means anonymous, preserving existing behavior).
  • Use basic auth with username x-access-token so both PATs and App installation tokens work.
  • Reject --source-token when --source-url is insecure http:// (case-insensitive), so the token is never sent in cleartext.
  • Unit tests for the auth helper, validation, auth threading through clone/fetch, the multi-repo loop, and the auth-required error translation. Shared test doubles live in testutils_test.go.
  • README documentation for the new flag in the sync and pull sections.

Testing

  • go build, go vet, gofmt, and go test ./src/... all pass.
  • Validated end-to-end against a real GHES 3.21.1 instance using the instance as the source:
    • Pulling a private repo without the token fails with an authentication error.
    • Pulling the same private repo with a ghs_ installation token succeeds and fetches all refs.
    • Supplying the token over http:// is rejected before any network call.
@philip-gai philip-gai marked this pull request as ready for review June 23, 2026 19:44
@philip-gai philip-gai requested review from a team as code owners June 23, 2026 19:44
Copilot AI review requested due to automatic review settings June 23, 2026 19:44

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds optional authentication support for actions-sync pull (and by extension sync, which embeds PullOnlyFlags) so users can mirror private source repositories by providing a --source-token that is threaded through go-git clone/fetch operations.

Changes:

  • Adds --source-token CLI flag, builds a go-git transport.AuthMethod, and passes it through pull/clone/fetch call paths.
  • Introduces test doubles and new unit tests to verify auth construction, validation, and auth propagation.
  • Updates README to document the new flag for both sync and pull.
Show a summary per file
File Description
src/pull.go Adds the new flag, validation, auth helper, and threads auth into clone/fetch.
src/pull_test.go Adds unit tests for auth helper, validation, and auth propagation through pull workflows.
src/testutils_test.go Adds shared test doubles to record auth usage in clone/fetch.
README.md Documents the new source-token flag in sync and pull sections.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

src/pull.go:120

  • Clone errors get a friendly message when authentication is required, but fetch errors return the raw go-git error. This matters when the repo already exists locally (clone skipped) or when credentials expire: an auth-required fetch will currently surface a low-level error instead of the intended guidance about authentication / existence.
	if err != nil && err != git.NoErrAlreadyUpToDate {
		return err
  • Files reviewed: 4/4 changed files
  • Comments generated: 3
Comment thread src/pull.go Outdated
Comment thread README.md Outdated
Comment thread README.md Outdated

@danwkennedy danwkennedy left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@philip-gai philip-gai merged commit 2fd4f12 into actions:main Jun 23, 2026
4 checks passed
@philip-gai philip-gai deleted the pgai/source-token branch June 23, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants