Closed joanofdart closed 3 years ago
Your inputs look fine to me.
What happens if you don't specify the token
input at all?
- name: Checks out flutter
uses: actions/checkout@v2
with:
repository: flutter/flutter
ref: refs/heads/master
path: flutter
Either way should work... the default when not specified is ${{ github.token }}
I'm getting
[error]Input required and not supplied: token
From this workflow file:
- uses: actions/checkout@v2
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.UBERSHMEKEL_ALT_TOKEN }}
I think the problem is actually mentioned on GitHub's secrets page:
Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.
The "Learn more" links to this page that doesn't provide more information but repeats the message: https://help.github.com/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
I found this discussion on the topic of forks getting some secrets access as "security by obscurity" https://github.community/t/make-secrets-available-to-builds-of-forks/16166/32
[error]Input required and not supplied: token
I have the same problem. How did you solve it?
So far I've found this workaround: https://github.com/google/gvisor/commit/315c167de2acddeef90b2a4765c9736e35523129
Another shorter workaround: https://github.com/rectorphp/rector/commit/2243a814457690f61b38cfbb63421f7812a3b43c
I started to have this issue in all the repositories which I set the token manually since yesterday or so. If I retrigger the build manually it works, also works sometimes automatically.
E.g. https://github.com/timonwong/vscode-shellcheck/runs/2077175092
This is not from fork, neither a pull request, so I wonder what's happening.
We're encountering this issue too for almost a week now. It suddenly started without a change in our workflows.
EDIT: nevermind, turns out it's by design: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
Landed here from a google search for "octokit input required and not supplied". Same issue as the previous two commenters, but I'm noticing this behavior in the https://github.com/actions/github-script action instead of checkout.
Error: Unhandled error: Error: Input required and not supplied: github-token
Maybe 5 or so days ago, I noticed my auto-merge jobs failing in this way when attempting to merge PRs from dependabot.
It would be cool to get any feedback here. It isn't very pleasant to constantly have to restart the workflows.
Suddenly got this on my repos (auto merging dependabot PRs) which worked fine for 6+months.
Working for me, after changed event type pull_request to pull_request_target.
However i think just chaning the event type to pull_request_target is regarded as unsecure when you are using secrets in your workflow. Refer: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This would mean anyone forking the repo could steal secrets and do any sort of malicious actions. I guess for private repos this will not exist but for public repos it will.
So any other solutions here?
Changing to pull_request_target
is not only unsecure, but it is also a mistake if the actions/checkout
is not properly updated. See the last example at the https://securitylab.github.com/research/github-actions-preventing-pwn-requests/, right before the conclusion.
@felipecrs I understand . But when i do a explicit checkout via ${{ github.event.pull_request.head.sha }} itshould work, right? As our repo is private and no forks can be done, this should be safe, right?
Yes, right. But if your PRs don't come from forks, you were not supposed to need pull_request_target
, except for pull requests coming from dependabot.
Fyi @TomasVotruba here is an even shorter workaround :) You can use the truthy behavior to fallback the built-in token
token: ${{ secrets.MY_TOKEN || github.token }}
@felipecrs I looked at the run you linked, and it looks like it's because you are using the secrets
context and the run was triggered by dependabot.
As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
I'm going to close this issue. If anyone is still having an issue, please open a new issue.
In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.
@ericsciple Could you please explain why that solves the issue? If github.token
works, why don't we directly use token: ${{ github.token }}
?
Is this still an issue? I have the below that fails, even though the repository (viaduct-ai/kustomize-sops
) is public
> act --job deploy --eventpath .github/_act/event_deploy_argocd.json
[Deploy ArgoCD/deploy] 🚀 Start image=node:12-buster-slim
[Deploy ArgoCD/deploy] 🐳 docker run image=node:12-buster-slim platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Deploy ArgoCD/deploy] 🐳 docker exec cmd=[mkdir -m 0777 -p /var/run/act] user=root
[Deploy ArgoCD/deploy] ⭐ Run Checkout KSOPS code
INFO[0001] ☁ git clone 'https://github.com/actions/checkout' # ref=v2
[Deploy ArgoCD/deploy] 🐳 docker cp src=/Users/alpha-wolf/.cache/act/actions-checkout@v2/ dst=/var/run/act/actions/actions-checkout@v2/
[Deploy ArgoCD/deploy] 🐳 docker exec cmd=[mkdir -p /var/run/act/actions/actions-checkout@v2/] user=
[Deploy ArgoCD/deploy] 🐳 docker exec cmd=[node /var/run/act/actions/actions-checkout@v2/dist/index.js] user=
[Deploy ArgoCD/deploy] ❓ ::save-state name=isPost,::true
[Deploy ArgoCD/deploy] 💬 ::debug::GITHUB_WORKSPACE = '/Users/alpha-wolf/dev/ego-ops'
[Deploy ArgoCD/deploy] 💬 ::debug::qualified repository = 'viaduct-ai/kustomize-sops'
[Deploy ArgoCD/deploy] 💬 ::debug::ref = 'ref/tags/v2.5.7'
[Deploy ArgoCD/deploy] 💬 ::debug::commit = 'undefined'
[Deploy ArgoCD/deploy] 💬 ::debug::clean = true
[Deploy ArgoCD/deploy] 💬 ::debug::fetch depth = 1
[Deploy ArgoCD/deploy] 💬 ::debug::lfs = false
[Deploy ArgoCD/deploy] 💬 ::debug::submodules = false
[Deploy ArgoCD/deploy] 💬 ::debug::recursive submodules = false
[Deploy ArgoCD/deploy] ❗ ::error::Input required and not supplied: token
[Deploy ArgoCD/deploy] ❌ Failure - Checkout KSOPS code
Error: exit with `FAILURE`: 1
Workflow:
name: Deploy ArgoCD
on:
workflow_dispatch:
inputs:
environment:
description: The environment to deploy ArgoCD to
required: true
default: dev
region:
description: The region to deploy ArgoCD to
required: true
default: us-east-2
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout KSOPS code
uses: actions/checkout@v2
with:
repository: viaduct-ai/kustomize-sops
ref: ref/tags/v2.5.7
path: _ksops
FYI: I have done brew unlink act && brew install act --HEAD
Hi, when checking out a tag (using the ref key) I get the same error, is there a version that it's fixed ?
It is clearly not fixed. I just added an organization secrets with a new PATH and I get that error. I'm unable to checkout a private repo (from the same organization) within my workflows.
edit: one job is using a workflow_call (using a workflow file from the same repo). Could that be the issue?
Same error when the action requiring a token (no matter a repo token or an org one) is executed by a PR from a forked repo. This is very annoying.
Same error here ):
Sharing my fix for those (like me) who are hitting this during local dev with act
(version 0.2.32). It was inspired by their docs: GITHUB_TOKEN
.
repo
permissions (Full control of private repositories).
export GITHUB_TOKEN="mySecret"
- uses: actions/checkout@v3
act -s GITHUB_TOKEN --container-architecture linux/amd64
--container-architecture linux/amd64
since I am using Mac M1This at least unblocked my personal usage of act
. Hope it helps someone out.
I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.
Basically, if you are using reusable workflows you have to:
@felipecrs I looked at the run you linked, and it looks like it's because you are using the
secrets
context and the run was triggered by dependabot.As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
I'm going to close this issue. If anyone is still having an issue, please open a new issue.
In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.
I'm running into this issue in a private repository where a check is failing on pull requests opened by dependabot.
If I remove
with:
token: ${{ secrets.PAT_TOKEN }}
from
- name: Checkout code
uses: actions/checkout@v2
with:
token: ${{ secrets.PAT_TOKEN }}
the workflow still fails.
What's the recommended approach on getting my workflow to run in my private repository, even if it's opened by dependabot?
I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.
Basically, if you are using reusable workflows you have to:
- Define your secret in your reusable workflow file
- Call the secret in your reusable workflow file
- Pass the secret from the caller workflow to the reusable workflow file using secrets keyword
- Enjoy!
hi @dtcMLOps can you elaborate on exactly how you got this working? our repos are private.
we have reusable-workflow as well and dependabot is failing on
Error: Input required and not supplied: token
our job -
jobs:
terraform:
uses: ./.github/workflows/reusable-workflow-terraform.yml
with:
cluster: preprod
secrets: inherit
the reusable-workflow-terraform.yml -
jobs:
terraform:
name: "Terraform"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.TOKEN }}
and this is where its failing us.
Hi @cwong-archy are you defining the secret in the reusable workflow?
this is an example of how to define the secret in the reusable workflow
Hi @cwong-archy are you defining the secret in the reusable workflow?
this is an example of how to define the secret in the reusable workflow
@dtcMLOps oh. even though i inherit everything i still have to define it huh? this is what i have -
──── head -n 22 reusable-workflow-terraform.yml
name: reusable-workflow-terraform
on:
workflow_call:
inputs:
cluster:
description: "Cluster, name of the working directory"
required: true
type: string
permissions:
id-token: write
contents: read
actions: read
pull-requests: write
Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.
Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.
thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻
Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.
thanks @dtcMLOps i'll give it a go!!! 🙏🏻🙏🏻🙏🏻
@dtcMLOps thank you... it worked!!!
In private organisation,
If you create a reusable workflow in Repo X, then for actions/checkout
we can use github.token
like so:
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
token: ${{ github.token }}
steps:
# Checks out the repository under $GITHUB_WORKSPACE
-
if: github.actor == 'dependabot[bot]'
uses: actions/checkout@v3
with:
token: ${{ github.token }}
submodules: recursive
-
if: github.actor != 'dependabot[bot]'
uses: actions/checkout@v3
with:
token: ${{ secrets.GITHIB_ACTIONS_TOKEN }}
submodules: recursive
works for my own and dependabot's pushes.
Hello everyone, for those
Here's how my .github/workflows/deployment.yml
looks like.
name: CI/CD Pipeline
on:
push:
branches:
- main
jobs:
github-actions-tests:
runs-on: ubuntu-latest
steps:
- name: Checkout psycopg2 Repository
uses: actions/checkout@v4
with:
repository: jkehler/awslambda-psycopg2
path: ./awslambda
As you notice the repository awslambda-psycopg2 is public, but based on the docs act provides
GitHub automatically provides a GITHUB_TOKEN secret when running workflows inside GitHub.
I understood that when your workflow runs in github actions it creates a token automatically on your user's behalf, so to work this locally I created a PAT with no access what so ever and passed it as a secret to act
and now it works as expected 🥳
act -s GITHUB_TOKEN=$ACT_GITHUB_TOKEN
@apurvdeodhar I can confirm that my act local run now works after adding the GITHUB_TOKEN secret parameter, even though I was using
- name: Checkout Branch release/k8s_merged
uses: actions/checkout@v4
with:
ref: ${{ env.TARGET_BRANCH }}
ssh-key: ${{ secrets.SSH_KEY }}
act command:
act -P ubuntu-latest=-self-hosted -W .github/workflows/local-merge-from-master.yaml --container-architecture linux/amd64 -s GITHUB_TOKEN=$GITHUB_TOKEN
Hello everyone... I'm trying to fetch another public repo and I've tried to put the TOKEN as explained... but even if I do, for some odd reason is still TELLING ME that the token is missing????? Sorry but I'm a bit stressed about this :/ perhaps I'm just being too dumb.