2

I have seen some answers on the internet on how to clone private repositories in CI, but they seem to use Gitlab or Bitbucket. I want to do the same thing with Github Actions.

I have private repo A which depends on private repo B. When I try to execute 'cargo build' in Github Actions for repo A, I get this error:

error: failed to get `b` as a dependency of package `a`
Caused by:
  failed to load source for dependency `b`
Caused by:
  Unable to update https://github.com/me/b.git
Caused by:
  failed to clone into: /home/runner/.cargo/git/db/b-c42bbf84fef750c8
Caused by:
  failed to authenticate when downloading repository
  * attempted to find username/password via git's `credential.helper` support, but failed
  if the git CLI succeeds then `net.git-fetch-with-cli` may help here
  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli
Caused by:
  failed to acquire username/password from local configuration

I have seen something with SSH agents, but it looks very complex from my POV.

Shepmaster
  • 388,571
  • 95
  • 1,107
  • 1,366
NoKey
  • 129
  • 11
  • 32
  • You could try generating [Gitlab access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html), store them in a [Secret](https://docs.github.com/en/actions/reference/encrypted-secrets) in your Github repo and use them to clone the private repositories by [changing the repo URL to include the token](https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication). Though from a security standpoint, personal access tokens might not be the best choice, maybe you can use a project-specific token instead for increased isolation. – Tobias Ribizel Mar 05 '21 at 12:49
  • @TobiasRibizel I am not using Gitlab, just Github – NoKey Mar 05 '21 at 12:52
  • Right sorry, I skimmed that too quickly. Still, the answer is the same: You need to provide a Github token that is allowed to access the private repository you want to clone, store it as a secret and use it in the repository URL or maybe in git's credentials helper directly? – Tobias Ribizel Mar 05 '21 at 13:00
  • @TobiasRibizel I can not see any reference on how to include a secret key in the URL. The link you mentioned have some answers on how to do it in Gitlab, although some are saying it doesn't work. I will try to make it work with Git credentials helper – NoKey Mar 05 '21 at 13:07
  • we use `https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/repo` in our scripts, which works fine, even though the specific username doesn't seem to matter that much, only the token does – Tobias Ribizel Mar 05 '21 at 13:10
  • Do both private repos need the same credentials? – emi Mar 05 '21 at 13:32
  • Do you accept having a different build dependencies in the GitHub Workflow/Action than in development? Like what @TobiasRibizel suggests – emi Mar 05 '21 at 13:33
  • @TobiasRibizel Thanks!!! Finally a simple solution that works. If you post your comment as an answer, I am happy to accept it :) – NoKey Mar 05 '21 at 16:40
  • @emi I think cargo.lock remembers the same commit, so the dependencies remain the same – NoKey Mar 05 '21 at 16:42

1 Answers1

1

You need to pass the needed credentials to access the private repo to the failing step. This means git SSH downloader needs a key to authenticate against GitHub service.

If using the git command (what is what cargo build looks like), you need a dedicated key (AKA: deploy key) for this to work.

Alternatively, you can write your own action using GITHUB_TOKEN to perform the download, just how checkout does.

emi
  • 2,786
  • 1
  • 16
  • 24
  • 1
    I don't use submodules and writing my own actions to perform the download seems overkill. I can provide a secret key with the checkout action (by using the token config). I was hoping I could do something similar with Cargo – NoKey Mar 05 '21 at 13:10