You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It still fails to commit and push but I can see that the token is obscured with *** and printed out. I also noticed that I'm able to pop the GITHUB_TOKEN over in a (gitignored) .env. I don't know if it has any adverse affects compared to running with the -s flag, but it is a bit more convenient.
I read over on the repo for actions/checkout@v4:
"Personal access token (PAT) used to fetch the repository. The PAT is configured with the local git config, which enables your scripts to run authenticated git commands. The post-job step removes the PAT." (https://arc.net/l/quote/jtuxxtol)
Based on this, I would have expected when the repo was checked out it was configured to fetch with the PAT provided and that the commands under "Commit stuff" would do the same?
After a lot of digging around I came to this workaround:
Key part being that I remove the origin remote and add it again with user and token encoded on the URL. It seemed a bit hacky, but I was ready to move on, when I started thinking about the fact that setting the remote writes the URL which now has my secret token embedded as clear-text into the ./git/config file. So this is a security concern.
Could someone guide me on how I'm supposed to set this up?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm in doubt how to ensure that my git repo is set up to use personal access token.
The docs tell me to do:
But I found that I'm always able to check out the repo without passing my PAS, so I suspect act falls back to using my local SSH key?
Here is a simple workflow:
Which I run with:
The checkout runs fine. The problem arise when I attempt to perform any actions that require access to the Git remote:
This fails with:
I then figured I'll try to pass the PSA:
Error committing but checkout still works fine.
Then I did some more reading and found that if you pass
with > token
to the checkout action it will use your PSA:It still fails to commit and push but I can see that the token is obscured with
***
and printed out. I also noticed that I'm able to pop theGITHUB_TOKEN
over in a (gitignored).env
. I don't know if it has any adverse affects compared to running with the-s
flag, but it is a bit more convenient.I read over on the repo for
actions/checkout@v4
:Based on this, I would have expected when the repo was checked out it was configured to fetch with the PAT provided and that the commands under "Commit stuff" would do the same?
After a lot of digging around I came to this workaround:
Key part being that I remove the
origin
remote and add it again with user and token encoded on the URL. It seemed a bit hacky, but I was ready to move on, when I started thinking about the fact that setting the remote writes the URL which now has my secret token embedded as clear-text into the./git/config
file. So this is a security concern.Could someone guide me on how I'm supposed to set this up?
Beta Was this translation helpful? Give feedback.
All reactions