Install GitHub repo within GitHub Action Workflow

Question

I'm trying to build a GitHub action workflow that involves installing dependencies that exist within other private reps. I've tried all sorts of permutations (I've kinda lost track now) and I can't get any of them working.

I've created a secret, stored within TOKEN_GITHUB that grants access to other repositories, so I can install correctly, as I believe the provided one is scoped to just the current rep.

Here's an example GitHub workflow file, that ultimately deploys multiple Lambdas via CDK, but I've excluded that for simplicity:
deploy.yml

name: Lint, Audit, Test & Deploy

on:
    push:
        branches: [master]

jobs:
    build:
        runs-on: ubuntu-latest
        if: "!contains(github.event.head_commit.message, 'ci skip')"

        steps:
            - uses: actions/checkout@v2
            - uses: actions/setup-node@v1
              with:
                  node-version: 12
            - name: getList Lambda
              run: |
                  cd lambdas
                  cd getList
                  npm ci
                  npm audit --production --audit-level=moderate
            - name: getItem Lambda
              run: |
                  cd lambdas
                  cd getItem
                  npm ci
                  npm audit --production --audit-level=moderate
            - name: saveItem Lambda
              run: |
                  cd lambdas
                  cd saveItem
                  npm ci
                  npm audit --production --audit-level=moderate

So basically this fails during the npm ci for the getList lambda. I've had various errors such as:

npm ERR! [email protected]: Permission denied (publickey). npm ERR! fatal: Could not read from remote repository.

The package.json for my getList lambda looks like:

{
    "name": "getList",
    "version": "1.0.0",
    "description": "",
    "main": "index.js",
    "scripts": {
        "test": "jest"
    },
    "dependencies": {
        "dotenv": "^8.2.0",
        "mongodb": "^3.5.7",
        "get-db": "MyUsername/getDB"
    },
    "devDependencies": {
        "jest": "^26.0.1"
    }
}

I've also tried including the username:token in the package.json file although I'm not comfortable having my token in their rather than a secret, but this didn't work anyway. I've also tried npm installing using an https path:

https://[email protected]/MyUsername/getDB.git

with a gitconfig line of git config --global url."https://${{secrets.TOKEN_GITHUB}}:[email protected]/".insteadOf https://[email protected]/

Can anyone see what I might be doing wrong here? The only thing that jumps to mind is maybe setting the gitconfig isn't shared across steps?

It is worth noting all my steps need a private dependency install which is why I split it up this way. Also pretty much everything I tried worked fine locally, it's just in actions it failed.

Answer 1

The reason that your git config line doesn't work is because of the way authentication works with actions/checkout. Your attempt to change the authentication is being overridden by the credentials persisted by the action. I've bumped into other issues related to this before and you can read a bit about what I discovered here if you are interested.

You'll be glad to know there is an easy fix here. Just disable authentication being persisted in git config by actions/checkout.

      - uses: actions/checkout@v2
        with:
          persist-credentials: false

Your package.json dependencies are fine as they are.

    "dependencies": {
        ...
        "get-db": "MyUsername/getDB"
    },

Here is an example workflow. PAT is a repo scoped Personal Access Token. Note that the git config change persists between steps so you only need to run it once per job.

      - uses: actions/checkout@v2
        with:
          persist-credentials: false
      - uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - run: git config --global url."https://${{ secrets.PAT }}@github.com/".insteadOf ssh://[email protected]/
      - run: npm ci
      ...