Open utterances-bot opened 2 years ago
shuuji3
commented
2 years ago Thanks for sharing useful tips! 🙂 I was searching the same issue and found another way to set the token. gh check specific environment variables (gh environment | GitHub CLI) so we can also set GH_TOKEN environment variable like the following:
---
on:
- pull_request
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
...This might be helpful in some case.
joshjohanning
commented
2 years ago ahh! That is super helpful, thanks for the tip @shuuji3 !
Then you can just run your regular gh commands with GH_TOKEN set, very nice.
joshjohanning
commented
2 years ago I just updated the post to reflect this :)
Thanks!
shuuji3
commented
2 years ago Nice! Thank you for the update.
harsid17
commented
1 year ago Hey Josh, thanks for this! I was running into an issue using this auth method and was wondering if you could help! I wanted to use the command gh release edit --repo $REPO_TWO within a workflow in REPO_ONE. Both repos are private repos. So I set up auth as you mentioned:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_TWO: 'some-other-private-repo`
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: CLI Auth
run: |
gh api -X GET /repos/${{ GITHUB.REPOSITORY }}/topics --jq='.names'
- name: Release
run: |
gh release edit --repo $REPO_TWO .....
With this, I still run into a HTTP 404 error on the Release step, which leads me to believe Auth isn't working properly. Is there a different auth step I need since I'm referencing REPO_TWO?
joshjohanning
commented
1 year ago Yes @harsid17! Since you're accessing resources outside of the repo where you are running your action, you will have to create a secret in this repo with a PAT that you generate and refer to that. The ${{ secrets.GITHUB_TOKEN }} only has access to resources in the current repo.
This would be a good use case for the newer "fine-grained" PATs, otherwise a PAT that you create would have access to ALL repositories that you have access to, and with the fine-grained PAT, you can only give it access to $REPO_TWO.
Then something like this:
env:
GH_TOKEN: ${{ secrets.MY_PAT }}
REPO_TWO: 'some-other-private-repo`that makes sense. Is there a way to authenticate without needing a PAT? Wondering as both private repos are under an organization with limited to no access to generating/storing secrets other than those provided
joshjohanning
commented
1 year ago Yes @harsid17! The better way is to use a GitHub app: temporary generated authentication that doesn't rely on an individual user. See my other post for an example of how you could implement this in Actions.
But you would need to have an administrator in the organization install the app on the target repository for you 😢 .
harsid17
commented
1 year ago This is great, thanks so much!
james-s-w-clark
commented
1 year ago This has been a really helpful resource! There are a few things I'd like to add, which may help other users of GitHub Enterprise:
--with-token, if it's for GHES you would need to actually run echo TOKEN | gh auth login --hostname github.companydomain.com --with-token.
GH_HOST, doing echo TOKEN | gh auth login --with-token still requires user interaction (to choose between github.com and your enterprise domain). At least, for slightly older versions of the GH CLI.gh environment, you see what environment variables the GitHub CLI can pick up automatically. Of note are GH_HOST and GH_ENTERPRISE_TOKEN. Here's an (abbreviated) example usage that got our GH CLI running in self-hosted runners:
.... gh pr list
Great tip @IdiosApps on the GH_HOST and --hostname parameters for GHES - thank you!
How to use gh auth login CLI Programmatically in GitHub Actions | josh-ops
Using the gh cli to programmatically authenticate in GitHub Actions
https://josh-ops.com/posts/gh-auth-login-in-actions/