0

I have two private repositories in the same organization, say repository A and B, both of which are python packages. I have a "GitHub Actions workflow" to test repository B for each PR. However, repository B depends on repository A, so I would need to install it.
I tried following this GitHub document, however, it specifically states

GITHUB_TOKEN cannot install packages from any private repository besides the repository where the action runs.

How do I go about implementing this installation?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Dominus
  • 808
  • 11
  • 25

1 Answers1

1

That just means, that you cannot use the predefined GITHUB_TOKEN. Create a personal access token (PAT) with read:packages scope and add it as a secret to your repository.

If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository:

  1. Use or create a token with the appropriate permissions for that repository. For more information, see "Creating a personal access token".
  2. Add the token as a secret in your workflow's repository, and refer to it using the ${{ secrets.SECRET_NAME }} syntax. For more information, see "Creating and using encrypted secrets".

Source: https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

riQQ
  • 9,878
  • 7
  • 49
  • 66
  • 1
    Forgot to answer my own question, indeed this is the only possible way to do it. Github recommends in the docs to have a "bot" user which can be used to do just this. – Dominus Oct 07 '20 at 06:56
  • So the solution is to use my personal credentials, even when other users in my organization run the workflow? I don't like that, and our corporate security dept. wouldn't like the "bot user" approach since you lose the ability to audit who really did something. – Kelly Denehy Sep 14 '22 at 14:47
  • @KellyDenehy It's not optimal but at least it's read-only access only to packages, so nothing can't be changed. – riQQ Sep 14 '22 at 21:27
  • This answer suggests using ssh "GitHub deploy" keys, which avoids the personal PAT issue. Please correct me if that doesn't work, I haven't tried it: https://stackoverflow.com/a/70283191/5156887 – Nick Crews Oct 06 '22 at 17:26