[Docs]: How to use a fine-grained PAT?

[JakobHavtorn]

Describe the documentation issue

In the section on using a PAT to authorise the Action (https://github.com/AndreasAugustin/actions-template-sync?tab=readme-ov-file#3-using-a-pat) there is an example of using a "classic" token, but not one for the new "fine-grained" token type.

We are struggling to create a fine-grained token to give the Action the permissions it needs. We have tried with the below permissions, but get following error during the action-template-sync step of the Action:

git init
  ::info::set git global configuration
  ::info::the source repository is located within GitHub.
  github.com
    ✓ Logged in to github.com account MyAccount (GITHUB_TOKEN)
    - Active account: true
    - Git operations protocol: https
    - Token: github_pat_************************_***********************************************************
remote: Repository not found.
fatal: repository 'https://github.com/corticph/my-template-repository/' not found
fatal: Needed a single revision
Error: Process completed with exit code 128. 

We have previously had the action running with a classic token with the following permissions:

Links

https://github.com/AndreasAugustin/actions-template-sync?tab=readme-ov-file#3-using-a-pat

Acknowledgements

• I may be able to submit a pull-request to fix this issue.

[AndreasAugustin]

Hi @JakobHavtorn and thanks for the issue.

Does the token have access to the remote repository? The token has also a setting related to repository access.

[JakobHavtorn]

Hi @AndreasAugustin, yes it has access (only) to the two (remote) template repositories that we want to sync towards, via the "Only select repositories" option. And this includes the my-template-repository in the error message above.

[davidsnyder]

Encountered the same issue with PATs:

git init
  ::info::set git global configuration
  ::info::the source repository is located within GitHub.
  github.com
    ✓ Logged in to github.com account <github-account> (GITHUB_TOKEN)
    - Active account: true
    - Git operations protocol: https
    - Token: ghp_************************************
    - Token scopes: 'read:org', 'repo'
remote: Repository not found.
fatal: repository 'https://github.com/<org>/<template-repo>/' not found
fatal: Needed a single revision
Error: Process completed with exit code 128.

I set the token permissions for read:org and repo as described in the README as well as enabling access from other repositories in the source 's settings.

[AndreasAugustin]

Encountered the same issue with PATs:

git init
  ::info::set git global configuration
  ::info::the source repository is located within GitHub.
  github.com
    ✓ Logged in to github.com account <github-account> (GITHUB_TOKEN)
    - Active account: true
    - Git operations protocol: https
    - Token: ghp_************************************
    - Token scopes: 'read:org', 'repo'
remote: Repository not found.
fatal: repository 'https://github.com/<org>/<template-repo>/' not found
fatal: Needed a single revision
Error: Process completed with exit code 128.

I set the token permissions for read:org and repo as described in the README as well as enabling access from other repositories in the source 's settings.

Hi @davidsnyder and thanks for the heads up.
Hmm that is somehow weird. Is possibly the source repo private and the target repo public?
Trying to find some time.

@JakobHavtorn super sorry for not getting to work on this issue. Needed to prio some of my actual work tasks

[davidsnyder]

Encountered the same issue with PATs:

git init
  ::info::set git global configuration
  ::info::the source repository is located within GitHub.
  github.com
    ✓ Logged in to github.com account <github-account> (GITHUB_TOKEN)
    - Active account: true
    - Git operations protocol: https
    - Token: ghp_************************************
    - Token scopes: 'read:org', 'repo'
remote: Repository not found.
fatal: repository 'https://github.com/<org>/<template-repo>/' not found
fatal: Needed a single revision
Error: Process completed with exit code 128.

I set the token permissions for read:org and repo as described in the README as well as enabling access from other repositories in the source 's settings.

Hi @davidsnyder and thanks for the heads up. Hmm that is somehow weird. Is possibly the source repo private and the target repo public? Trying to find some time.

@JakobHavtorn super sorry for not getting to work on this issue. Needed to prio some of my actual work tasks

Both are private

[AndreasAugustin]

Encountered the same issue with PATs:

git init
  ::info::set git global configuration
  ::info::the source repository is located within GitHub.
  github.com
    ✓ Logged in to github.com account <github-account> (GITHUB_TOKEN)
    - Active account: true
    - Git operations protocol: https
    - Token: ghp_************************************
    - Token scopes: 'read:org', 'repo'
remote: Repository not found.
fatal: repository 'https://github.com/<org>/<template-repo>/' not found
fatal: Needed a single revision
Error: Process completed with exit code 128.

I set the token permissions for read:org and repo as described in the README as well as enabling access from other repositories in the source 's settings.

Hi @davidsnyder and thanks for the heads up. Hmm that is somehow weird. Is possibly the source repo private and the target repo public? Trying to find some time.
@JakobHavtorn super sorry for not getting to work on this issue. Needed to prio some of my actual work tasks

Both are private

thanks for the answer. Just made a test -> I am able to use a classic PAT without issues.
2 possible issues

• typo within path or PAT (or possible whitespaces within secret or definition file)?
• the PAT does not have access to the repo?

Update
Not sure but I guess you edited the error message? (sorry for asking this).
fatal: repository 'https://github.com/<org>/<template-repo>/' not found
I guess you replaced the real org and template-repo here?

[AndreasAugustin]

@JakobHavtorn just tested a fine grained PAT with the following settings: it is working

(please be aware that I gave permissions to both source and target repo)

repo permissions:

• contents -> write
• metadata -> read
• pull requests -> write

also settings set like for classic PAT within source repo (currently not sure if needed).

Would be nice if you could test this.
You checked that you possibly want to update the DOCs? Would be nice if possible :) (if not I can do that)

[JakobHavtorn]

Thanks @AndreasAugustin! I'll check it tomorrow. I'll try to make a PR with an update to the docs this week 🙌

[davidsnyder]

For some reason I still can't get this to work. I made several changes related to the fine grained PAT permissions because I thought that was the problem (for example, if you're trying to clone a template repo owned by an org, I believe the org needs to be the owner of the PAT, not your personal account)

Once I have the PAT, if I open a private terminal session and run:

sh-3.2# export GITHUB_TOKEN=<github_PAT>
sh-3.2# gh auth status --hostname github.com
github.com
  ✓ Logged in to github.com account davidsnyder (GITHUB_TOKEN)
  - Active account: true
  - Git operations protocol: https
  - Token: github_pat_11AABX55A0cE5DX5rKyFpu_***********************************************************
sh-3.2# git ls-remote https://github.com/<org>/plugin-template-go HEAD
f8be11f1751dd27599435d160777e2b3ba13a528	HEAD

git ls-remote works as expected.

But when I run the plugin as a Github Action it prints

github.com
  ✓ Logged in to github.com account davidsnyder (GITHUB_TOKEN)
  - Active account: true
  - Git operations protocol: https
  - Token: github_pat_11AABX55A0cE5DX5rKyFpu_***********************************************************

which shows that it logged in successfully via GITHUB_TOKEN
but then it later prints

+++ git ls-remote https://github.com/<org>/plugin-template-go HEAD
remote: Repository not found.
fatal: repository 'https://github.com/<org>/plugin-template-go/' not found
++ TEMPLATE_REMOTE_GIT_HASH=
+++ git rev-parse --short ''
fatal: Needed a single revision

which is the same error as before (I enabled -x so it would print the command) as if it doesn't have access to view the private repo. Seeing as it's the same GITHUB_TOKEN, and the login procedure is the same, I don't understand how the behavior could be different.

My workflow file is

name: Sync from Template

on:
  workflow_dispatch: # manual trigger

jobs:
  repo-sync:
    runs-on: ubuntu-latest

    steps:
    -
      name: Checkout
      uses: actions/checkout@v4
    -
      name: actions-template-sync
      uses: AndreasAugustin/[email protected]
      with:
        github_token: ${{ secrets.PLUGIN_TEMPLATE_SYNC }}
        source_repo_path: <org>/plugin-template-go
        upstream_branch: main

[davidsnyder]

Finally figured it out after looking here: https://github.com/orgs/community/discussions/25240

Had to add persist-credentials: false to the checkout action. My final workflow file is as follows:

name: Sync from Template

on:
  workflow_dispatch: # manual trigger

jobs:
  repo-sync:
    runs-on: ubuntu-latest

    steps:
    -
      name: Checkout
      uses: actions/checkout@v4
      with:
        persist-credentials: false
    -
      name: actions-template-sync
      uses: davidsnyder/actions-template-sync@main
      with:
        github_token: ${{ secrets.PLUGIN_TEMPLATE_SYNC_ACTION }}
        source_repo_path: <org>/plugin-template-go
        upstream_branch: main

When you update the docs, maybe add a note about this!

[AndreasAugustin]

Finally figured it out after looking here: https://github.com/orgs/community/discussions/25240

Had to add persist-credentials: false to the checkout action. My final workflow file is as follows:

name: Sync from Template

on:
  workflow_dispatch: # manual trigger

jobs:
  repo-sync:
    runs-on: ubuntu-latest

    steps:
    -
      name: Checkout
      uses: actions/checkout@v4
      with:
        persist-credentials: false
    -
      name: actions-template-sync
      uses: davidsnyder/actions-template-sync@main
      with:
        github_token: ${{ secrets.PLUGIN_TEMPLATE_SYNC_ACTION }}
        source_repo_path: <org>/plugin-template-go
        upstream_branch: main

When you update the docs, maybe add a note about this!

Hi @davidsnyder ,
nice that you found a solution.

Remark:
Actually I do not fully understand the root cause yet. Also why it is working in other scenarios without using the flag.

[davidsnyder]

Unfortunately, I'm not sure either! But I tried everything I could think of and it started working only after I added persist-credentials: false.

[Lyngsoe]

Got it working ❤️

If you are automatically adding reviewers to your pr and using the permissions:

contents -> write
metadata -> read
pull requests -> write

I ran into the error:

::info::create pr
GraphQL: Resource not accessible by personal access token (organization.t000)
::warn::Creating the PR failed.

I found this issue for it and the error message should have been something like this.

Cannot set reviewers because personal access token does not have "Organization: Member" permissions

I added organisation:members read permissions to the PAT token now now it works.