::error::Input required and not supplied: token

[joanofdart]

Hello everyone... I'm trying to fetch another public repo and I've tried to put the TOKEN as explained... but even if I do, for some odd reason is still TELLING ME that the token is missing????? Sorry but I'm a bit stressed about this :/ perhaps I'm just being too dumb.

      - name: Checks out flutter
        uses: actions/checkout@v2
        with:
          repository: flutter/flutter
          token: ${{ github.token }}
          ref: refs/heads/master
          path: flutter

[ericsciple]

Your inputs look fine to me.

What happens if you don't specify the token input at all?

      - name: Checks out flutter
        uses: actions/checkout@v2
        with:
          repository: flutter/flutter
          ref: refs/heads/master
          path: flutter

Either way should work... the default when not specified is ${{ github.token }}

[ubershmekel]

I'm getting

[error]Input required and not supplied: token

From this workflow file:

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.head_ref }}
        token: ${{ secrets.UBERSHMEKEL_ALT_TOKEN }}

I think the problem is actually mentioned on GitHub's secrets page:

Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.

The "Learn more" links to this page that doesn't provide more information but repeats the message: https://help.github.com/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

I found this discussion on the topic of forks getting some secrets access as "security by obscurity" https://github.community/t/make-secrets-available-to-builds-of-forks/16166/32

[TomasVotruba]

[error]Input required and not supplied: token

I have the same problem. How did you solve it?

[TomasVotruba]

So far I've found this workaround: https://github.com/google/gvisor/commit/315c167de2acddeef90b2a4765c9736e35523129

---

Another shorter workaround: https://github.com/rectorphp/rector/commit/2243a814457690f61b38cfbb63421f7812a3b43c

[felipecrs]

I started to have this issue in all the repositories which I set the token manually since yesterday or so. If I retrigger the build manually it works, also works sometimes automatically.

E.g. https://github.com/timonwong/vscode-shellcheck/runs/2077175092

This is not from fork, neither a pull request, so I wonder what's happening.

[devbucket]

We're encountering this issue too for almost a week now. It suddenly started without a change in our workflows.

[Xunnamius]

EDIT: nevermind, turns out it's by design: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

Landed here from a google search for "octokit input required and not supplied". Same issue as the previous two commenters, but I'm noticing this behavior in the https://github.com/actions/github-script action instead of checkout.

Error: Unhandled error: Error: Input required and not supplied: github-token

Maybe 5 or so days ago, I noticed my auto-merge jobs failing in this way when attempting to merge PRs from dependabot.

[devbucket]

It would be cool to get any feedback here. It isn't very pleasant to constantly have to restart the workflows.

[will-molloy]

Suddenly got this on my repos (auto merging dependabot PRs) which worked fine for 6+months.

[MannarAmuthan]

Working for me, after changed event type pull_request to pull_request_target.

refer: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

[pommelinho]

However i think just chaning the event type to pull_request_target is regarded as unsecure when you are using secrets in your workflow. Refer: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

This would mean anyone forking the repo could steal secrets and do any sort of malicious actions. I guess for private repos this will not exist but for public repos it will.

So any other solutions here?

[felipecrs]

Changing to pull_request_target is not only unsecure, but it is also a mistake if the actions/checkout is not properly updated. See the last example at the https://securitylab.github.com/research/github-actions-preventing-pwn-requests/, right before the conclusion.

[pommelinho]

@felipecrs I understand . But when i do a explicit checkout via ${{ github.event.pull_request.head.sha }} itshould work, right? As our repo is private and no forks can be done, this should be safe, right?

[felipecrs]

Yes, right. But if your PRs don't come from forks, you were not supposed to need pull_request_target, except for pull requests coming from dependabot.

[ericsciple]

Fyi @TomasVotruba here is an even shorter workaround :) You can use the truthy behavior to fallback the built-in token

token: ${{ secrets.MY_TOKEN || github.token }}

[ericsciple]

@felipecrs I looked at the run you linked, and it looks like it's because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I'm going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

[martin-thoma]

@ericsciple Could you please explain why that solves the issue? If github.token works, why don't we directly use token: ${{ github.token }}?

[jmclean-starburst]

Is this still an issue? I have the below that fails, even though the repository (viaduct-ai/kustomize-sops) is public

> act --job deploy --eventpath .github/_act/event_deploy_argocd.json                
[Deploy ArgoCD/deploy] 🚀  Start image=node:12-buster-slim
[Deploy ArgoCD/deploy]   🐳  docker run image=node:12-buster-slim platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -m 0777 -p /var/run/act] user=root
[Deploy ArgoCD/deploy] ⭐  Run Checkout KSOPS code
INFO[0001]   ☁  git clone 'https://github.com/actions/checkout' # ref=v2 
[Deploy ArgoCD/deploy]   🐳  docker cp src=/Users/alpha-wolf/.cache/act/actions-checkout@v2/ dst=/var/run/act/actions/actions-checkout@v2/
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -p /var/run/act/actions/actions-checkout@v2/] user=
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[node /var/run/act/actions/actions-checkout@v2/dist/index.js] user=
[Deploy ArgoCD/deploy]   ❓  ::save-state name=isPost,::true
[Deploy ArgoCD/deploy]   💬  ::debug::GITHUB_WORKSPACE = '/Users/alpha-wolf/dev/ego-ops'
[Deploy ArgoCD/deploy]   💬  ::debug::qualified repository = 'viaduct-ai/kustomize-sops'
[Deploy ArgoCD/deploy]   💬  ::debug::ref = 'ref/tags/v2.5.7'
[Deploy ArgoCD/deploy]   💬  ::debug::commit = 'undefined'
[Deploy ArgoCD/deploy]   💬  ::debug::clean = true
[Deploy ArgoCD/deploy]   💬  ::debug::fetch depth = 1
[Deploy ArgoCD/deploy]   💬  ::debug::lfs = false
[Deploy ArgoCD/deploy]   💬  ::debug::submodules = false
[Deploy ArgoCD/deploy]   💬  ::debug::recursive submodules = false
[Deploy ArgoCD/deploy]   ❗  ::error::Input required and not supplied: token
[Deploy ArgoCD/deploy]   ❌  Failure - Checkout KSOPS code
Error: exit with `FAILURE`: 1

Workflow:

name: Deploy ArgoCD
on:
  workflow_dispatch:
    inputs:
      environment:
        description: The environment to deploy ArgoCD to
        required: true
        default: dev
      region:
        description: The region to deploy ArgoCD to
        required: true
        default: us-east-2
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout KSOPS code
        uses: actions/checkout@v2
        with:
          repository: viaduct-ai/kustomize-sops
          ref: ref/tags/v2.5.7
          path: _ksops

FYI: I have done brew unlink act && brew install act --HEAD

[yonidavidson]

Hi, when checking out a tag (using the ref key) I get the same error, is there a version that it's fixed ?

[Kryptos-FR]

It is clearly not fixed. I just added an organization secrets with a new PATH and I get that error. I'm unable to checkout a private repo (from the same organization) within my workflows.

edit: one job is using a workflow_call (using a workflow file from the same repo). Could that be the issue?

[TriplEight]

Same error when the action requiring a token (no matter a repo token or an org one) is executed by a PR from a forked repo. This is very annoying.

[beyarkay]

Same error here ):

[jamesbraza]

Sharing my fix for those (like me) who are hitting this during local dev with act (version 0.2.32). It was inspired by their docs: GITHUB_TOKEN.

1. Made a Github Personal Access Token (classic) with fill repo permissions (Full control of private repositories).
   • For my company, I also had to configure SSO
   • SEE: https://github.com/nektos/act#github_token
2. Added a local environment variable: export GITHUB_TOKEN="mySecret"
3. Here's my yaml file:

      - uses: actions/checkout@v3

4. act -s GITHUB_TOKEN --container-architecture linux/amd64
   • I have --container-architecture linux/amd64 since I am using Mac M1

This at least unblocked my personal usage of act. Hope it helps someone out.

[codebydant]

I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.

Basically, if you are using reusable workflows you have to:

1. Define your secret in your reusable workflow file
2. Call the secret in your reusable workflow file
3. Pass the secret from the caller workflow to the reusable workflow file using secrets keyword
4. Enjoy!

[hamirmahal]

@felipecrs I looked at the run you linked, and it looks like it's because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I'm going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

I'm running into this issue in a private repository where a check is failing on pull requests opened by dependabot.

If I remove

        with:
          token: ${{ secrets.PAT_TOKEN }}

from

      - name: Checkout code
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.PAT_TOKEN }}

the workflow still fails.

What's the recommended approach on getting my workflow to run in my private repository, even if it's opened by dependabot?

[cwong-archy]

I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.

Basically, if you are using reusable workflows you have to:

1. Define your secret in your reusable workflow file
2. Call the secret in your reusable workflow file
3. Pass the secret from the caller workflow to the reusable workflow file using secrets keyword
4. Enjoy!

hi @dtcMLOps can you elaborate on exactly how you got this working? our repos are private.

we have reusable-workflow as well and dependabot is failing on

Error: Input required and not supplied: token

our job -

jobs:
  terraform:
    uses: ./.github/workflows/reusable-workflow-terraform.yml
    with:
      cluster: preprod
    secrets: inherit

the reusable-workflow-terraform.yml -

jobs:
  terraform:
    name: "Terraform"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.TOKEN  }}

and this is where its failing us.

[codebydant]

Hi @cwong-archy are you defining the secret in the reusable workflow?

this is an example of how to define the secret in the reusable workflow

https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

[cwong-archy]

Hi @cwong-archy are you defining the secret in the reusable workflow?

this is an example of how to define the secret in the reusable workflow

https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

@dtcMLOps oh. even though i inherit everything i still have to define it huh? this is what i have -

──── head -n 22 reusable-workflow-terraform.yml
name: reusable-workflow-terraform

on:
  workflow_call:
    inputs:
      cluster:
        description: "Cluster, name of the working directory"
        required: true
        type: string

permissions:
  id-token: write
  contents: read
  actions: read
  pull-requests: write

[codebydant]

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

[cwong-archy]

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻

[cwong-archy]

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻

@dtcMLOps thank you... it worked!!!

[ayushxx7]

In private organisation, If you create a reusable workflow in Repo X, then for actions/checkout we can use github.token like so:

    steps:
    - name: Checkout code
      uses: actions/checkout@v2
      with:
        token: ${{ github.token }}

[Nosskirneh]

    steps:
      # Checks out the repository under $GITHUB_WORKSPACE
      -
        if: github.actor == 'dependabot[bot]'
        uses: actions/checkout@v3
        with:
          token: ${{ github.token }}
          submodules: recursive
      -
        if: github.actor != 'dependabot[bot]'
        uses: actions/checkout@v3
        with:
          token: ${{ secrets.GITHIB_ACTIONS_TOKEN }}
          submodules: recursive

works for my own and dependabot's pushes.

[apurvdeodhar]

Hello everyone, for those

1. Who are using act for local runs like @jmclean-starburst mentioned
2. Still facing this problem, here's an update.

Here's how my .github/workflows/deployment.yml looks like.

name: CI/CD Pipeline

on:
  push:
    branches:
      - main

jobs:
  github-actions-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout psycopg2 Repository
        uses: actions/checkout@v4
        with:
          repository: jkehler/awslambda-psycopg2
          path: ./awslambda

As you notice the repository awslambda-psycopg2 is public, but based on the docs act provides

GitHub automatically provides a GITHUB_TOKEN secret when running workflows inside GitHub.

I understood that when your workflow runs in github actions it creates a token automatically on your user's behalf, so to work this locally I created a PAT with no access what so ever and passed it as a secret to act and now it works as expected 🥳

act -s GITHUB_TOKEN=$ACT_GITHUB_TOKEN

[mills-nick]

@apurvdeodhar I can confirm that my act local run now works after adding the GITHUB_TOKEN secret parameter, even though I was using

      - name: Checkout Branch release/k8s_merged
        uses: actions/checkout@v4
        with:
          ref: ${{ env.TARGET_BRANCH }}
          ssh-key: ${{ secrets.SSH_KEY }}

act command:

act -P ubuntu-latest=-self-hosted -W .github/workflows/local-merge-from-master.yaml --container-architecture linux/amd64 -s GITHUB_TOKEN=$GITHUB_TOKEN