How to bundle install private gem in github actions

Question

I would like to run rspec on a gem (call it priv_gem_a) via github actions.

priv_gem_a depends on another gem that's in a private repo (call it priv_gem_b). However I cannot bundle install the priv_gem_b due to invalid permissions.

Error:

Fetching gem metadata from https://rubygems.org/..........
Fetching [email protected]:myorg/priv_gem_b
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Host key verification failed.
Retrying `git clone '[email protected]:myorg/priv_gem_b' "/opt/hostedtoolcache/Ruby/2.6.3/x64/lib/ruby/gems/2.6.0/cache/bundler/git/priv_gem_b-886cdb130fe04681e92ab5365f7a1c690be8e62b" --bare --no-hardlinks --quiet` due to error (2/4): Bundler::Source::Git::GitCommandError Git error: command `git clone '[email protected]:myorg/priv_gem_b' "/opt/hostedtoolcache/Ruby/2.6.3/x64/lib/ruby/gems/2.6.0/cache/bundler/git/priv_gem_b-886cdb130fe04681e92ab5365f7a1c690be8e62b" --bare --no-hardlinks --quiet` in directory /home/runner/work/priv_gem_a/priv_gem_a has failed.

I assume this is something to do with the runner not having access to differing private repos in the same org.

So I tried adding environment vars to my workflow file includes GITHUB_TOKENs, but that doesn't work:

name: Test Code

on:
   push:
     branches:
     - master

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v1
    - name: Set up Ruby 2.6
      uses: actions/setup-ruby@v1
      with:
        ruby-version: 2.6.x
    - name: Install dependencies
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        BUNDLE_GITHUB__COM: ${{ secrets.GITHUB_TOKEN }}:x-oauth-basic
      run: |
        gem install bundler
        gem update bundler
        bundle install --without development --jobs 4 --retry 3
    - name: Test with RSpec
      run: |
        bundle exec rspec

Just a snippet from the Gemfile regarding this:

gem 'priv_gem_b', '>= 7.0.1', '< 8', git: '[email protected]:my_org/priv_gem_b', branch: :master

Answer 1

I'm fairly sure the default secret GITHUB_TOKEN in a repository is only scoped to that repository. You cannot use it to access other repositories.

Try using a repo scoped token instead. Create one at https://github.com/settings/tokens and then add it as a secret to the repository your workflow runs in. It will be under https://github.com/[username]/[repo]/settings/secrets

Use that secret in your workflow instead of GITHUB_TOKEN.

BUNDLE_GITHUB__COM: ${{ secrets.REPO_SCOPED_TOKEN }}:x-oauth-basic

Or, use the x-access-token method, which I think is preferable.

BUNDLE_GITHUB__COM: x-access-token:${{ secrets.REPO_SCOPED_TOKEN }}

Additionally, I think you need to change the reference to the private gem so that it uses HTTPS. The way that you are referencing it now means that it will try to use an SSH key instead of the token defined in BUNDLE_GITHUB__COM.

gem 'my_private_repo', git: 'https://github.com/username/my_private_repo.git'