Multi repo and auth problem

Actions

spf November 19, 2024, 4:04pm 1

Hi,

I am trying to use actions to generate a bunch of configuration files using Ansible, involving two different repos.

I have a first repo in my profile containing all the Ansible related stuff required to install this tool on a runner, do the job and generate the expected files from Jinja templates.

I also have a second repo in my profile which is supposed to hold the resulting files, pushed and versioned by the runner.
It is checked out in a specific directory on the runner, where the files generated by Ansible are temporarily stored.

So after executing the playbooks, I just have to commit and push all the modifications back to the repo.

Unfortunately, it’s not working as expected.

I get a 403 error “remote: User permission denied” from the destination repo.

With some checkout/generate/push from and to the same repo, I have no auth problem.
But I need to split generation and results so I have to use separate repos.

As I have not been able to clearly understand whether Gitea offers some access tokens for users, I am a bit stuck and have no futher idea.

I am using OIDC authentication if that matters.

Thanks for any kind of help.

phkrl November 20, 2024, 8:26am 2

Which credentials do you use to clone the second repo?

spf November 20, 2024, 8:43am 3

Hi

In fact I am not using any specific credentials anywhere.

Here is how my it looks :

Repo A

• name: Checkout Ansible files
  uses: actions/checkout@v4
  with:
  ref: main
  path: .

Repo B

• name: Checkout existing configuration files
  uses: actions/checkout@v4
  with:
  ref: main
  repository: my_profile/repoB
  path: ./workdir

The workflow file is located in repo A.

I don’t know how authentication is made, as I can also push content to repo A without specifying any credentials.

But the same is not working if I want to push files from “./workdir” from the same action file to repo B.

Both repos are under my profile, with no specific permissions.

phkrl November 20, 2024, 9:21am 4

I suppose, checkout action uses github.token as authentication token. AFAIK its implementation in gitea is currently limited. If this action allows you to pass custom token, you should create yourself a personal access token and save it to actions secrets (at group level, i suppose), then pass it via secrets context

spf November 20, 2024, 10:14am 5

According to what is written here : actions/checkout: Mirror of https://github.com/actions/checkout - checkout - Gitea: Git with a cup of tea a token can be specified.

I have tried using “token: ${{ github.token }}” option, but it’s giving the same error. By the way, how is this one defined ? I am not sure it even exists.

I don’t really understand how to create a PAT as mentioned for Github almost everywhere.

At profile level ( Settings/Applications/Manage Access Tokens) I have created a token named "GITEA_TOKEN " with all available permissions granted.

Now using “token: ${{ secrets.GITEA_TOKEN }}” does not change anything.

phkrl November 20, 2024, 11:19am 6

spf:

token: ${{ github.token }}

It’s how it works by default.
After you created access token, you have to put its value under actions->secrets tab in your profile (or in repository calling checkout). If you save it as MY_TOKEN (for example, the key may be different than the one you used when creating token itself), you can refer to it via token: ${{ secrets.MY_TOKEN }}

spf November 20, 2024, 4:21pm 7

Thank you very much , I managed to have it working

So I am writing it down clearly here for future reference:

• Generate a personal token at profile level (Settings/Applications/Manage Access Tokens)

  • The name of the token does not really matter, it won’t be used as a reference; let’s use “GITEA_TOKEN”.
  • Don’t forget to save the generated value, say “5e9b8b01c47d0cbf2b714ad4534bbf2211748a43”

• Create a secret at profile level (Settings/Actions/Secrets)

  • The name will be used as a reference, say “MY_TOKEN”
  • The value must be the cleartext value of “GITEA_TOKEN”, which is “5e9b8b01c47d0cbf2b714ad4534bbf2211748a43”

• In order to use it with checkout action, write something like this:

   - name: Checkout repoB content
      uses: actions/checkout@v4
      with:
       ref: main
       repository: my_profile/repoB
       path: ./workdir
       token: ${{ secrets.MY_TOKEN }}

No more auth problems when pushing modifications to repoB while also using repoA !