Checkout another private repo from the same Organization does not work on enterprise server

[johanneszellinger]

I have two repos A and B in the same organization on our self-hosted Github enterprise instance. Repo B is a dependency for the code in repo A, so I want to create a workflow in repo A, where both repos are checked out.

Here is the workflow I tried so far:

• create a SSH-key with git-bash:
  1. ssh-keygen -t ed25519 -C "myemail@company.com"
  2. no passphrase
  3. This creates two files one .pub for the public key and one for the private key
• In Repo B go to Settings->deploy keys->add deploy key and copy the contents of the public key as the value- In Repo A go to Settings->Secrets and variables->Actions->New Repository Secret and copy the content of the private key as value
• Test the following workflow yaml

  name: My Workflow
  
  on:
    workflow_dispatch:
  
  jobs:
    build-and-push-image:
      name: test
      runs-on: [ self-hosted, fast]
  
      steps:
        - name: Check out repo A
          uses: actions/checkout@v3
          with:
            path: path_to_A
  
        - name: Check out repo A
          uses: actions/checkout@v3
          with:
            repository: myorg/b
            path: path_to_B
            ssh-key: ${{ secrets.PRIVATE_KEY_B }}
  
        - name: debug # just to debug
          run: find .

Unfortunately this does not work and I get the following errors:

No ECDSA host key is known for github.company.com and you have requested strict checking.
Host key verification failed.
Error: fatal: Could not read from remote repository.

I am not sure what the issue is here. I have also already tried to set the private key for the ssh agent as described here, but also without success. Any pointers would be much appreciated! The error only appears while checking out repo B. Checkout for repo A works flawlessly. I am actually not sure, why there should be different access rights between the two repos.

[johanneszellinger]

I have also tried to add ref and ssh-known-hosts:

      - name: Check out repo A
        uses: actions/checkout@v3
        with:
          repository: myorg/b
          ssh-key: ${{ secrets.PRIVATE_KEY_B }}
          ssh-known-hosts: company.domain.com
          path: path_to_B
          ref: main

Unfortunately with the same results.

[johanneszellinger]

Some additional Info: I just tested this with a PAT and with that it works nicely. I would however really like to avoid using a PAT.

[arunnambissan]

Any solution for this without using a PAT?

[xeger]

Just a note that my organization would not function without the PAT workaround, which has necessitated creating a fake user so that its permissions can be narrowly scoped, despite most of our repositories being "internal" visibility (and hence declared as readable to all humans and bots).

Golang relies on being able to clone repositories. Python relies heavily on it (and GitHub will never support Python with GitHub Packages, so Python is stuck with repository cloning). JavaScript may rely on it in some cases. Our CI workflows for all of these languages require a PAT as a workaround.

We're stuck with an endless stream of workarounds and tweaks, wasting our own time and GitHub's bandwidth, and being subjected to API call rate limits and clone rate limits, all because we can't rely on internal repositories to do what they are supposed to do and be readable to every auth principle in the organization.

Please give us a way out of this madness!

[g3n35i5]

This ticket is also giving me a headache. I would really expect that private repositories can be used within the same organization without PATs and other workarounds...

[neotrow]

@g3n35i5

I agree. But at the same time I think fine grained PAT's are now an okay solution. At least from a security point of view:
https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization

[robert-lore]

Github, this is ridiculous.

[jicuss]

can this be fixed? having PAT is not a scalable solution

[svukadin-versuni]

Is there any progress on this issue? Is there a proposal for an official workaround from GitHub?

[johnmckay-reward]

Would also find it really useful if we could checkout repo's in the same organisation without a PAT!

[arunnambissan]

I am using this official Github actions package to checkout another private repo from the same organisation.
https://github.com/actions/create-github-app-token

[jicuss]

@arunnambissan this is not any better than using a PAT. we need a solution that avoids the need for periodic rotation and is not tied to an individual

[christianbaumann]

Some additional Info: I just tested this with a PAT and with that it works nicely. I would however really like to avoid using a PAT.

@johanneszellinger could you please share how you solved it with a PAT? Thanks!

[sleshJdev]

Any updates?

[oluan]

what a silly limitation

[johanneszellinger]

Some additional Info: I just tested this with a PAT and with that it works nicely. I would however really like to avoid using a PAT.

@johanneszellinger could you please share how you solved it with a PAT? Thanks!

Hey @christianbaumann , sorry for the late reply.
It has been some time, but iirc you can simply create a new "Fine-grained token" and set the organization, where the repositories live as the owner of the token.
You can then copy the PAT as secret for the action to use for the checkout via the token option.

[lifeodyssey]

I met same issue. Any solution by now?

[rummepa]

Would like to see this solved to!