Checkout repos from runner without action token auth

[bhartm3]

Hello I'm trying to check out a repo "my-custom-action" on GHE on a runner in a runner group with the checkout action. The workflow runs in a different "workflow-repo" where I want to use this action.

44: Fetching the repository
  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/master*:refs/remotes/origin/master* +refs/tags/master*:refs/tags/master*
  remote: Repository not found.
  Error: fatal: repository 'https://<redacted>/<redacted>/my-custom-action/' not found
  The process '/usr/bin/git' failed with exit code 128
  Waiting 18 seconds before trying again

The runner group has permission to access these two repositories. Can this still be a permission issue since the workflow is started in another repo?

Note, I'm not giving any additional auth to the checkout:

      - name: Checkout
        uses: actions/checkout@v3
        with:
          repository: <redacted>/my-custom-action

[bhartm3]

When I provide a token for the checkout auth, I am able to clone the repo so it seems that the runners only have permission to clone the repo they were triggered from. Maybe someone can confirm, or comment if there is a workaround to enable runners to check out other repos without providing an auth token?

[nobbs]

That's intended behaviour. Furthermore, it's not a limitation of the GitHub action runners deployed in Kubernetes but a general (security based) limitation by the GitHub actions itself.

You can read about it in the documentation, in short:

At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see "Permissions for the GITHUB_TOKEN."

If you want to access the contents of another repository (so, action is running in repo A and you want to checkout repo B), you either have to use a personal access token or, which is preferred security-wise, set up a GitHub App and then configure that to be able to access the other repository.

For information on using a GitHub App for a similar use case, check out this archived docs link and this action.