From d03156b5b87293bfcac690d17511cb25c89bd3af Mon Sep 17 00:00:00 2001 From: Ariel Elkin <1756909+arielelkin@users.noreply.github.com> Date: Wed, 15 Dec 2021 10:17:09 +0000 Subject: [PATCH 1/3] Update README.md --- README.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 775cee5..1d4970e 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,9 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous # with the local git config, which enables your scripts to run authenticated git # commands. The post-job step removes the PAT. # + # If any of the submodules are private GitHub repos, pass in a PAT with read-access + # to them. + # # We recommend using a service account with the least permissions necessary. Also # when generating a new PAT, select the least scopes necessary. # @@ -100,8 +103,8 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous # Whether to checkout submodules: `true` to checkout submodules or `recursive` to # recursively checkout submodules. # - # When the `ssh-key` input is not provided, SSH URLs beginning with - # `git@github.com:` are converted to HTTPS. + # When neither the `ssh-key` nor the `token` inputs are provided, SSH URLs + # beginning with `git@github.com:` are converted to HTTPS. # # Default: false submodules: '' @@ -185,12 +188,19 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous uses: actions/checkout@v2 with: repository: my-org/my-private-tools - token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT + token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains a PAT with read-access to this private repository path: my-tools ``` -> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). +## Checkout a repo and its private submodules +```yaml +- name: Checkout + uses: actions/checkout@v2 + with: + submodules: true + token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains a PAT with read-access to the private submodules +``` ## Checkout pull request HEAD commit instead of merge commit From 009b9ae9e446ad8d9b8c809870b0fbcc5e03573e Mon Sep 17 00:00:00 2001 From: Ben Wells Date: Thu, 16 Jan 2025 14:14:48 -0500 Subject: [PATCH 2/3] Documentation update - add recommended permissions to Readme (#2043) * Update README.md * Update README.md Co-authored-by: Josh Gross --------- Co-authored-by: Josh Gross --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index b0f6224..f28fec7 100644 --- a/README.md +++ b/README.md @@ -311,6 +311,16 @@ jobs: git commit -m "generated" git push ``` + +## Recommended permissions + +When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs: + +```yaml +permissions: + contents: read +``` + *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D From 85e6279cec87321a52edac9c87bce653a07cf6c2 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Thu, 16 Jan 2025 15:56:18 -0500 Subject: [PATCH 3/3] Adjust positioning of user email note and permissions heading (#2044) --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f28fec7..64dc025 100644 --- a/README.md +++ b/README.md @@ -312,7 +312,9 @@ jobs: git push ``` -## Recommended permissions +*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D + +# Recommended permissions When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs: @@ -321,9 +323,6 @@ permissions: contents: read ``` -*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D - - # License The scripts and documentation in this project are released under the [MIT License](LICENSE)