Skip to content

GH App Permissions - other than Meta? #204

New issue
New issue
Open
Open
GH App Permissions - other than Meta?#204
@alokshenoy

Description

@alokshenoy
alokshenoy
opened on Feb 11, 2025

Is there minimum permissions required for the GH App, apart from the permission to read the Contents of the target repo?

I have this workflow setup:


on:
  push:
    branches:
      - testing-app-token-generator

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo A
        uses: actions/checkout@v4

      - name: Generate GitHub App Token
        id: app_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.TOKEN_GENERATOR_APP_ID }}
          private-key: ${{ secrets.TOKEN_GENERATOR_APP_PRIVATE_KEY }}

      - name: Debug Token Output
        run: |
          echo "Token Length: ${#GITHUB_TOKEN}"
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          architecture: "x64"

      - name: Configure Git to Use GitHub Token
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          git config --global url.https://${GITHUB_TOKEN}@github.com/.insteadOf https://github.com/
          git config --global credential.helper store


      - name: Install internal-project (Private Repo)
        env:
          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          pip install git+https://${GITHUB_TOKEN}@github.com/OrgName/internal-project.git

      - name: Install dependencies
        run: pip install -e .

The error I get is No such device or address.

Collecting git+https://****@github.com/OrgName/internal-project.git
  Cloning https://****@github.com/OrgName/internal-project.git to /tmp/pip-req-build-ecm4ocoz
  Running command git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz
  fatal: could not read Password for 'https://***@github.com': No such device or address
  error: subprocess-exited-with-error
  
  × git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz did not run successfully.
  │ exit code: 128
  ╰─> See above for output.
  
  note: This error originates from a subprocess, and is likely not a problem with pip.

Notice:  A new release of pip is available: 25.0 -> 25.0.1
Notice:  To update, run: pip install --upgrade pip
error: subprocess-exited-with-error

× git clone --filter=blob:none --quiet 'https://****@github.com/OrgName/internal-project.git' /tmp/pip-req-build-ecm4ocoz did not run successfully.
│ exit code: 128
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.
Error: Process completed with exit code 1.```

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions