How do I authenticating to remote repo inside Github Action using GH CLI?

Question

I am having an issue with the following segment of a Github Action/Workflow which is meant to pull the PR list (with some filtering) of a remote, private repo (e.g. not the repo that contains the Action itself).

  - run: echo "PR2=$( gh pr list --head "${{ env.BRANCH_NAME }}" --repo github.com/[OWNER]/[REMOTE_REPO] | tr -s [:space:] ' ' | cut -d' ' -f1 )" >> $GITHUB_ENV
     env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

However, I am getting the following error: GraphQL: Could not resolve to a Repository with the name '[OWNER]/[REMOTE_REPO]'. (repository)

I gather there is some issue with authentication somewhere, since the commands runs perfectly in a terminal after authenticating with gh auth. I'm new to Github as a whole, Actions, and CLI, so any advice as to how to properly authenticate inside an action would be amazing.

Edit: Found a solution/workaround.

Use git ls-remote to get a list of PRs and branches, then link the two using the ID. For future reference:

id=$(git ls-remote git@github.com:[OWNER]/[REMOTE_REPO] | grep "${{ env.BRANCH_NAME }}" | head -c 40)
PR=$(git ls-remote git@github.com:[OWNER]/[REMOTE_REPO] | grep "${id}.*refs/pull" | cut -b 52- | rev | cut -b 6- | rev)

Answer 1

There is an open feature request for authenticating non-interactively: Add flags to gh auth login to replace the interactive prompts

You can use github-script though:

steps:
  - name: Find Pull Request
    uses: actions/github-script@v5
    with:
      github-token: ${{ secrets.TOKEN_FOR_PRIVATE_REPO }}
      script: |
        const pulls = github.rest.pulls.list({
          owner: '[OWNER]',
          head: '${{ env.BRANCH_NAME }}',
          repo: '[REMOTE_REPO]',
        });

Note how it passes a separate github-token. The default token (secrets.GITHUB_TOKEN) cannot access your other private repository, so you'll have to issue another token and set that up as a secret.

If you don't want to use github script, you could also use plain curl with the newly issued token. Here's the doc on the REST API: https://docs.github.com/en/rest/reference/pulls#list-pull-requests and how to use the token: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens

Answer 2

You don't need to specifically authenticate using gh auth, but you should be using a generated PAT which has access to the private repo in this case.

1. For example, generate a PAT which can access your private repo, steps: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

2. Add the PAT as a secret to the repo where you have your workflow, say PRIVATE_REPO_PAT , steps: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository

Then, you can use that in your workflow like:

- run: echo "PR2=$( gh pr list --head "${{ env.BRANCH_NAME }}" --repo github.com/[OWNER]/[REMOTE_REPO] | tr -s [:space:] ' ' | cut -d' ' -f1 )" >> $GITHUB_ENV
     env:
      GITHUB_TOKEN: ${{ secrets.PRIVATE_REPO_PAT }}

Note that, if you do want to use gh auth 'non-interactively', say in a shell script, you could always do it using :

echo "$GH_CONFIG_TOKEN" | gh auth login --with-token

where GH_CONFIG_TOKEN is either the default GITHUB_TOKEN or a generated PAT.

For use in Github Actions, this auth is implicit when you pass in the correct GITHUB_TOKEN in the env variables.