I'm trying to build a GitHub action workflow that involves installing dependencies that exist within other private reps. I've tried all sorts of permutations (I've kinda lost track now) and I can't get any of them working.
I've created a secret, stored within TOKEN_GITHUB
that grants access to other repositories, so I can install correctly, as I believe the provided one is scoped to just the current rep.
Here's an example GitHub workflow file, that ultimately deploys multiple Lambdas via CDK, but I've excluded that for simplicity:
deploy.yml
name: Lint, Audit, Test & Deploy
on:
push:
branches: [master]
jobs:
build:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'ci skip')"
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
with:
node-version: 12
- name: getList Lambda
run: |
cd lambdas
cd getList
npm ci
npm audit --production --audit-level=moderate
- name: getItem Lambda
run: |
cd lambdas
cd getItem
npm ci
npm audit --production --audit-level=moderate
- name: saveItem Lambda
run: |
cd lambdas
cd saveItem
npm ci
npm audit --production --audit-level=moderate
So basically this fails during the npm ci
for the getList
lambda. I've had various errors such as:
npm ERR! [email protected]: Permission denied (publickey). npm ERR! fatal: Could not read from remote repository.
The package.json
for my getList
lambda looks like:
{
"name": "getList",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "jest"
},
"dependencies": {
"dotenv": "^8.2.0",
"mongodb": "^3.5.7",
"get-db": "MyUsername/getDB"
},
"devDependencies": {
"jest": "^26.0.1"
}
}
I've also tried including the username:token
in the package.json file although I'm not comfortable having my token in their rather than a secret, but this didn't work anyway. I've also tried npm installing using an https
path:
https://[email protected]/MyUsername/getDB.git
with a gitconfig line of
git config --global url."https://${{secrets.TOKEN_GITHUB}}:[email protected]/".insteadOf https://[email protected]/
Can anyone see what I might be doing wrong here? The only thing that jumps to mind is maybe setting the gitconfig
isn't shared across steps?
It is worth noting all my steps need a private dependency install which is why I split it up this way. Also pretty much everything I tried worked fine locally, it's just in actions it failed.
GitHub Actions offers features that let you control deployments. You can: Trigger workflows with a variety of events. Configure environments to set rules before a job can proceed and to limit access to secrets.
In the top right corner of GitHub.com, click your profile photo, then click Your profile. On your profile page, in the top right, click Packages. Under your package versions, click Connect repository. Select a repository, then click Connect repository.
Jenkins creates workflows using Declarative Pipelines, which are similar to GitHub Actions workflow files. Jenkins uses stages to run a collection of steps, while GitHub Actions uses jobs to group one or more steps or individual commands.
The reason that your git config line doesn't work is because of the way authentication works with actions/checkout
. Your attempt to change the authentication is being overridden by the credentials persisted by the action. I've bumped into other issues related to this before and you can read a bit about what I discovered here if you are interested.
You'll be glad to know there is an easy fix here. Just disable authentication being persisted in git config by actions/checkout
.
- uses: actions/checkout@v2
with:
persist-credentials: false
Your package.json dependencies are fine as they are.
"dependencies": {
...
"get-db": "MyUsername/getDB"
},
Here is an example workflow. PAT
is a repo
scoped Personal Access Token. Note that the git config
change persists between steps so you only need to run it once per job.
- uses: actions/checkout@v2
with:
persist-credentials: false
- uses: actions/setup-node@v1
with:
node-version: 12.x
- run: git config --global url."https://${{ secrets.PAT }}@github.com/".insteadOf ssh://[email protected]/
- run: npm ci
...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With