Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document permission requirements for private repositories #237

Open
trymzet opened this issue May 6, 2024 · 2 comments
Open

Document permission requirements for private repositories #237

trymzet opened this issue May 6, 2024 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@trymzet
Copy link

trymzet commented May 6, 2024

For private repos, due to this undocumented behavior of GitHub actions, it seems an additional contents: read permission is required for the action:

permissions:
  id-token: write # IMPORTANT: this permission is mandatory for trusted publishing.
  contents: read

Otherwise, the action fails while trying to fetch the repo:

remote: Repository not found.
Error: fatal: repository 'https://github.com/my-org/my-repo' not found
The process '/usr/bin/git' failed with exit code 128

NOTE: I tested this with a repo using Trusted Publishing.

@trymzet trymzet changed the title Document permimssion requirements for private repositories Document permission requirements for private repositories May 6, 2024
@woodruffw
Copy link
Member

I can confirm that I've seen the same behavior. I think this may depend on the parent GH user/org/enterprise's default GHA token permissions, but either way it's likely to be a common snare when people publish from a private repo.

@webknjaz webknjaz added enhancement New feature or request help wanted Extra attention is needed labels May 29, 2024
@webknjaz
Copy link
Member

@trymzet thanks for letting us know, I didn't realize. I'd love to get contributions updating the snippets @ https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/README.md and https://github.com/pypa/packaging.python.org/blob/main/source/guides/github-actions-ci-cd-sample/publish-to-test-pypi.yml with that privilege and a similar code comment explaining why it's needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

3 participants