尝试使用Github Actions复制存储库时出现身份验证错误 [英] Auth error trying to copy a repo with Github Actions

问题描述

我有一堆使用Azure Pipelines for CI/CD的存储库，我现在正尝试将其移植到Github Actions.这是我正在研究的第一个: https://github.com/Azure /AzureAuth/tree/fix-ghaction

I have a bunch of repos that use Azure Pipelines for CI/CD, which I'm now trying to port to Github Actions. This is the first one I'm working on: https://github.com/Azure/AzureAuth/tree/fix-ghaction

我已经完成了99％的工作，但是一步一步却遇到了奇怪的身份验证错误.回购已镜像到另一个组织(cloudyr)，我使用此步骤进行镜像:

I've got it 99% working but I'm getting a weird authentication error on one step. The repo is mirrored to another org (cloudyr), and I use this step to do the mirroring:

  - name: Copy to Cloudyr
    if: runner.os == 'Linux'
    env:
      token: "${{ secrets.ghPat }}"
    run: |
      export CLOUDYR_REPO=$(echo $GITHUB_REPOSITORY | sed "s/Azure/cloudyr/")
      git push --prune https://$token@github.com/${CLOUDYR_REPO}.git +refs/remotes/origin/*:refs/heads/* +refs/tags/*:refs/tags/*

这将从回购秘密中检索PAT，并执行git push.它与Azure Pipelines完美配合，但是现在失败，并出现以下错误:

This retrieves a PAT from the repo secrets, and does a git push. It was working perfectly well with Azure Pipelines, but now it fails with the following error:

Run export CLOUDYR_REPO=$(echo $GITHUB_REPOSITORY | sed "s/Azure/cloudyr/")
remote: Permission to cloudyr/AzureAuth.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/cloudyr/AzureAuth.git/': The requested URL returned error: 403
Error: Process completed with exit code 128.

谁能解释这是什么原因以及如何解决?我对Azure/AzureAuth和clouderer/AzureAuth仓库都具有管理员权限.我还检查了PAT是否有效.

Can anyone explain what's causing this, and how to fix it? I have admin access to both the Azure/AzureAuth and cloudyr/AzureAuth repos. I've also checked that the PAT is valid.

失败的日志在这里: https://github.com/Azure/AzureAuth/runs/1228152900?check_suite_focus = true

推荐答案

GitHub Actions使用http.extraheader选项之一存储配置选项，以发送用于在自定义Authorization标头中克隆存储库的原始令牌.这是一个坏主意，因为当您使用另一个存储库时，它会与Git添加的Authorization标头冲突，并且发出的令牌仅对原始存储库有效.

GitHub Actions stores a configuration option using one of the http.extraheader options to send the original token for cloning your repository in a custom Authorization header. This is a bad idea because it then conflicts with the Authorization header added by Git when you use another repository, and the token that's issued is only valid for the original repository.

如果要推送到其他存储库，则需要通过执行以下操作来取消设置该配置选项:

If you want to push to a different repository, then you need to unset that configuration option by doing something like this:

git config -l | grep 'http\..*\.extraheader' | cut -d= -f1 | \
    xargs -L1 git config --unset-all

此外，您应该避免在用户名字段中传递授权令牌.尽管GitHub对此进行了过滤，但更有可能在日志中显示用户名字段，因此，最佳做法是使用虚拟名称在密码字段中传递它，如下所示:

In addition, you should avoid passing the authorization token in the username field. While GitHub has filtering for this, it's more likely that the username field appears in logs, so it's a best practice to pass it in the password field using a dummy name, like so:

git push --prune https://token:$token@github.com/${CLOUDYR_REPO}.git

这篇关于尝试使用Github Actions复制存储库时出现身份验证错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！