Cloning private github repository within organisation in actions

Question

I have 2 private GitHub repositories (say A and B) in the organization (say ORG). Repository A has repository B in requirements.txt :

-e git+git@github.com:ORG/B.git#egg=B

And I have the following workflow for A (in .github/workflows/test.yml ):

name: Python package

on: push

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v1

    - name: Install requirements
      run: |
        pip install -r requirements.txt

    - name: Test with pytest
      run: |
        pytest ./tests

As B is private, it fails on installing it.

Is it possible to install B while testing A in this workflow if they are in the same organization? How?

Answer 1

Since access tokens are bound to an account and have write access to all its private repos, it's a very bad solution.

Instead, use deploy keys .

Deploy keys are simply SSH keys that you can use to clone a repo.

1. Create a new SSH key pair on your computer
2. Put the public key in the private dependency repo's Deploy keys
3. Put the private key in the app repo's Actions secrets
4. Delete the keys from your computer

Once it's set, you can set the private key in the GitHub Action's SSH Agent. There's no need to import a third-party GitHub Action, a 2-liner will suffice.

eval `ssh-agent -s`
ssh-add - <<< '${{ secrets.PRIVATE_SSH_KEY }}'
pip install -r requirements.txt

---

I found that ssh-add command here .

Answer 2

I did this way!

- uses: actions/checkout@v1  
  with:
    repository: organization_name/repo_name
    token: ${{ secrets.ACCESS_TOKEN }}

You need to provide a valid token, you can generate it following this guide

Answer 3

使用不带密码的 SSH 密钥访问存储库 B，或为该存储库创建访问令牌，然后使用访问令牌作为密码通过 HTTPS 访问该存储库： https://USERNAME:TOKEN@github.com/ORG/B.git 。

Answer 4

Instead of check out twice, all you need is provided the TOKEN for pip to access repo B.

    - name: Install requirements
      run: |
        git config --global url."https://${{ secrets.ACESS_TOKEN }}@github".insteadOf https://github
        pip install -r requirements.txt

Answer 5

I added this line

git+https://YOUR_TOKEN_HERE@github.com/ORG/REPO_NAME.git@master#egg=REPO_NAME

to my requirements.txt and it worked. But as other people mentioned, your token will be exposed to anyone having access to this repository. It is probably best to use a secret in your repository.

Answer 6

Complementing Philippe Remy's response ...

Note that #egg is not necessarily the name of the github repository. You will need to see this in setup.py or setup.cfg

Answer 7

Using deployment keys you can do

- uses: actions/checkout@v2
  with:
    ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
    repository: organization_name/repo_name

For this to work you need to

• generate ssh keys locally
• add pub key as deployment key to the private repo
• add private key as a secret named SSH_PRIVATE_KEY