7

I'm trying to build a GitHub action workflow that involves installing dependencies that exist within other private reps. I've tried all sorts of permutations (I've kinda lost track now) and I can't get any of them working.

I've created a secret, stored within TOKEN_GITHUB that grants access to other repositories, so I can install correctly, as I believe the provided one is scoped to just the current rep.

Here's an example GitHub workflow file, that ultimately deploys multiple Lambdas via CDK, but I've excluded that for simplicity:
deploy.yml

name: Lint, Audit, Test & Deploy

on:
    push:
        branches: [master]

jobs:
    build:
        runs-on: ubuntu-latest
        if: "!contains(github.event.head_commit.message, 'ci skip')"

        steps:
            - uses: actions/checkout@v2
            - uses: actions/setup-node@v1
              with:
                  node-version: 12
            - name: getList Lambda
              run: |
                  cd lambdas
                  cd getList
                  npm ci
                  npm audit --production --audit-level=moderate
            - name: getItem Lambda
              run: |
                  cd lambdas
                  cd getItem
                  npm ci
                  npm audit --production --audit-level=moderate
            - name: saveItem Lambda
              run: |
                  cd lambdas
                  cd saveItem
                  npm ci
                  npm audit --production --audit-level=moderate

So basically this fails during the npm ci for the getList lambda. I've had various errors such as:

npm ERR! [email protected]: Permission denied (publickey). npm ERR! fatal: Could not read from remote repository.

The package.json for my getList lambda looks like:

{
    "name": "getList",
    "version": "1.0.0",
    "description": "",
    "main": "index.js",
    "scripts": {
        "test": "jest"
    },
    "dependencies": {
        "dotenv": "^8.2.0",
        "mongodb": "^3.5.7",
        "get-db": "MyUsername/getDB"
    },
    "devDependencies": {
        "jest": "^26.0.1"
    }
}

I've also tried including the username:token in the package.json file although I'm not comfortable having my token in their rather than a secret, but this didn't work anyway. I've also tried npm installing using an https path:

https://[email protected]/MyUsername/getDB.git

with a gitconfig line of git config --global url."https://${{secrets.TOKEN_GITHUB}}:[email protected]/".insteadOf https://[email protected]/

Can anyone see what I might be doing wrong here? The only thing that jumps to mind is maybe setting the gitconfig isn't shared across steps?

It is worth noting all my steps need a private dependency install which is why I split it up this way. Also pretty much everything I tried worked fine locally, it's just in actions it failed.

Improve this question

1 Answer 1

Reset to default
10

The reason that your git config line doesn't work is because of the way authentication works with actions/checkout. Your attempt to change the authentication is being overridden by the credentials persisted by the action. I've bumped into other issues related to this before and you can read a bit about what I discovered here if you are interested.

You'll be glad to know there is an easy fix here. Just disable authentication being persisted in git config by actions/checkout.

      - uses: actions/checkout@v2
        with:
          persist-credentials: false

Your package.json dependencies are fine as they are.

    "dependencies": {
        ...
        "get-db": "MyUsername/getDB"
    },

Here is an example workflow. PAT is a repo scoped Personal Access Token. Note that the git config change persists between steps so you only need to run it once per job.

      - uses: actions/checkout@v2
        with:
          persist-credentials: false
      - uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - run: git config --global url."https://${{ secrets.PAT }}@github.com/".insteadOf ssh://[email protected]/
      - run: npm ci
      ...
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks so much, wish I'd have asked this before spending hours fighting with it :)
Hypothetically how would this work if you have multiple private repos?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.