What is the correct way to run git commands with Github personal access token?

[zkwsk]

I'm in doubt how to ensure that my git repo is set up to use personal access token.

The docs tell me to do:

act pull_request -s  GITHUB_TOKEN=xxxxxxxx

But I found that I'm always able to check out the repo without passing my PAS, so I suspect act falls back to using my local SSH key?

Here is a simple workflow:

name: Make a commit
on:
  pull_request:
    branches:
      - main
    types: ['closed']
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Git checkout
        uses: actions/checkout@v4

Which I run with:

act pull_request

The checkout runs fine. The problem arise when I attempt to perform any actions that require access to the Git remote:

name: Make a commit
on:
  pull_request:
    branches:
      - main
    types: ['closed']
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Git checkout
        uses: actions/checkout@v4
      - name: Git Config
        run: |
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"
      - name: Commit stuff
        run: |
          git commit --allow-empty -m "sample commit"
          git push

This fails with:

| [email protected]: Permission denied (publickey).
| fatal: Could not read from remote repository.

I then figured I'll try to pass the PSA:

act -s GITHUB_TOKEN=HERE_IS_MY_ACTUAL_TOKEN

Error committing but checkout still works fine.

Then I did some more reading and found that if you pass with > token to the checkout action it will use your PSA:

name: Make a commit
on:
  pull_request:
    branches:
      - main
    types: ['closed']
jobs:
  build:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Git checkout
        uses: actions/checkout@v4
        with:
          token: ${{ env.GITHUB_TOKEN }}
      - name: Git Config
        run: |
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"
      - name: Commit stuff
        run: |
          echo ${{ env.GITHUB_TOKEN }}
          git commit --allow-empty -m "sample commit"
          git push

It still fails to commit and push but I can see that the token is obscured with *** and printed out. I also noticed that I'm able to pop the GITHUB_TOKEN over in a (gitignored) .env. I don't know if it has any adverse affects compared to running with the -s flag, but it is a bit more convenient.

I read over on the repo for actions/checkout@v4:

"Personal access token (PAT) used to fetch the repository. The PAT is configured with the local git config, which enables your scripts to run authenticated git commands. The post-job step removes the PAT." (https://arc.net/l/quote/jtuxxtol)

Based on this, I would have expected when the repo was checked out it was configured to fetch with the PAT provided and that the commands under "Commit stuff" would do the same?

After a lot of digging around I came to this workaround:

name: Make a commit
on:
  pull_request:
    branches:
      - main
    types: ['closed']
jobs:
  build:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Git checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ env.GITHUB_TOKEN }}
      - name: Git Config
        run: |
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"
          git remote remove origin
          git remote add org https://GITHUB_ACTIONS_BOT:${{ env.GITHUB_TOKEN }}@github.com/ProjectDreamforest/aves.git
      - name: Commit stuff
        run: |
          echo ${{ env.GITHUB_TOKEN }}
          git commit --allow-empty -m "sample commit"
          git push

Key part being that I remove the origin remote and add it again with user and token encoded on the URL. It seemed a bit hacky, but I was ready to move on, when I started thinking about the fact that setting the remote writes the URL which now has my secret token embedded as clear-text into the ./git/config file. So this is a security concern.

Could someone guide me on how I'm supposed to set this up?

[victoralvelais]

Hey, did you ever figure out how to make this work?