GitHub Actions Unable to Clone secondary Internal Repository Using GITHUB_TOKEN in Workflow – Repository Not Found Error

[bhabanistr]

I'm encountering an issue with GitHub Actions while trying to clone an internal repository using the GITHUB_TOKEN in a workflow. The secondary repository exists within the same organization (iEnterpriseInternal/streamline-helm), but the workflow fails with the error:

fatal: repository 'https://github.com/iEnterpriseInternal/streamline-helm/' not found
The process '/usr/bin/git' failed with exit code 128

Workflow Configuration:

name: Dev API Deployment

on:
  workflow_dispatch:
  push:
    branches:
      - dev_update

jobs:
  dev_build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout primary repository
        uses: actions/checkout@v4
        with:
          ref: dev_update
          path: ie-network-api

      - name: Clone secondary repository (streamline-helm)
        uses: actions/checkout@v4
        with:
          repository: iEnterpriseInternal/streamline-helm
          token: ${{ secrets.GITHUB_TOKEN }}
          ref: dev
          path: streamline-helm

Key details:

• Both the primary and secondary repositories are internal to the organization.
• The same GITHUB_TOKEN is used for both, with the permissions set to read/write.
• The workflow successfully checks out the primary repository but fails when attempting to clone the secondary one.
• The secondary repository is configured as an internal repository, and the branch dev exists.
• The secondary repository is made accessible from repositories in the organization

Steps already taken:

• Verified the repository name and branch.
• Checked GITHUB_TOKEN permissions and workflow settings.
• Ensured organization settings allow cross-repository access for GitHub Actions.

Looking for help on how to resolve this issue and ensure the GitHub Action runner has proper access to clone the secondary repository.

[behdad088]

Hi @bhabanistr
I am not 100% sure this will help you, but I had pretty much the same issue and solved this as below.
The issue you’re encountering while trying to clone a secondary repository using GitHub Actions and the GITHUB_TOKEN is most likely related to permissions and access rights between repositories within the same organization.

Here’s how you can resolve the issue and ensure that the GitHub Action runner has the correct access to clone the secondary repository:

1. Understanding GITHUB_TOKEN Scope:

The default GITHUB_TOKEN provided in GitHub Actions has limited access to repositories. It only has access to the repository where the workflow is running by default. To allow access to another internal repository within the same organization, you need to configure the permissions properly.

2. Adjusting Workflow Permissions:

Since you’re working with internal repositories, ensure that you explicitly set the permissions needed for accessing the second repository. You’ve already set the contents: write and pull-requests: write permissions, which is good, but you may need to enable read permissions for the contents as well.

Add the following under permissions in the jobs section:

permissions:
  contents: write
  pull-requests: write
  packages: read
  issues: read

3. Use a Personal Access Token (PAT) Instead of GITHUB_TOKEN:

Sometimes, the default GITHUB_TOKEN might not have enough access, especially for cross-repository operations. Using a Personal Access Token (PAT) with more explicit permissions can help resolve the issue.

•	Generate a PAT:
1.	Go to [GitHub Settings](https://github.com/settings/tokens) > Developer settings > Personal Access Tokens.
2.	Create a token with the appropriate scopes, like repo, workflow, and write:packages.
•	Store the PAT in GitHub Secrets:
1.	Navigate to your repository > Settings > Secrets and Variables > Actions > New repository secret.
2.	Add the PAT as a secret, e.g., PERSONAL_ACCESS_TOKEN.
•	Modify the Workflow to Use PAT:

Replace the token: ${{ secrets.GITHUB_TOKEN }} with token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} in your workflow:

- name: Clone secondary repository (streamline-helm)
  uses: actions/checkout@v4
  with:
    repository: iEnterpriseInternal/streamline-helm
    token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
    ref: dev
    path: streamline-helm

4. Verify Repository Visibility:

Double-check that the secondary repository (iEnterpriseInternal/streamline-helm) is accessible to the organization and allows the workflow in your primary repository to access it.

•	Repository Settings: Go to the secondary repository’s settings and verify the visibility (ensure it’s set to internal or private, but accessible within the organization).
•	Access Policies: Ensure that GitHub Actions workflows have access to the secondary repository by checking the organization’s settings. You may need to allow cross-repository access for internal/private repositories.

5. Cross-Repository Access in Organization Settings:

Make sure the “Actions permissions” in the organization settings are configured to allow workflows in one repository to access other repositories. To check this:

1.	Go to your organization settings.
2.	Navigate to Actions.
3.	Verify the Access settings are set to allow actions from other repositories within the same organization.

6. Check for Case Sensitivity:

GitHub is case-sensitive in repository names. Double-check that the repository name (iEnterpriseInternal/streamline-helm) and the branch name (dev) are correctly spelled and matched exactly as they are in GitHub.

7. Test Locally:

As a last step, try running a similar git clone command locally using the GITHUB_TOKEN or PAT to see if there are any additional issues, such as incorrect permissions or other repository access problems.

Example Updated Workflow:

name: Dev API Deployment

on:
  workflow_dispatch:
  push:
    branches:
      - dev_update

jobs:
  dev_build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      packages: read
      issues: read
    steps:
      - name: Checkout primary repository
        uses: actions/checkout@v4
        with:
          ref: dev_update
          path: ie-network-api

      - name: Clone secondary repository (streamline-helm)
        uses: actions/checkout@v4
        with:
          repository: iEnterpriseInternal/streamline-helm
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}  # Use PAT instead of GITHUB_TOKEN
          ref: dev
          path: streamline-helm

I really hope this solves your issue.

[queenofcorgis]

Hey there! 👋

Thanks for posting in the GitHub Community, @bhabanistr ! We're happy you're here. You are more likely to get a useful response if you are posting your question in the applicable category. The Accessibility category is a place for our community to discuss and provide feedback on the digital accessibility of GitHub products. Digital accessibility means that GitHub tools, and technologies, are designed and developed so that people with disabilities can use them.

I've gone ahead and moved this to the correct category for you. Good luck!