Skip to content

Comments

Fix cross-repo deployment with actions/checkout@v6 includeIf credentials#1929

Merged
JamesIves merged 3 commits intodevfrom
copilot/fix-cross-repo-deployment-issue
Dec 8, 2025
Merged

Fix cross-repo deployment with actions/checkout@v6 includeIf credentials#1929
JamesIves merged 3 commits intodevfrom
copilot/fix-cross-repo-deployment-issue

Conversation

Copy link
Contributor

Copilot AI commented Dec 4, 2025
edited
Loading

Description

actions/checkout@v6 changed credential injection from http.extraheader to includeIf directives in git config. Existing code only removed extraheader, causing cross-repo deployments to use github-actions[bot] instead of provided PAT tokens, resulting in 403 errors.

Changes

  • Added includeIf credential removal in src/git.ts init():

    • Queries includeIf.*.path git config entries
    • Removes each includeIf section via git config --remove-section
    • Runs under same conditions as existing extraheader removal (CI environment, non-SSH)
    • Silently continues if no includeIf directives exist

  • Updated test expectations in __tests__/git.test.ts and __tests__/main.test.ts:

    • Incremented execute call counts to account for new includeIf query
    • Added test case validating includeIf section removal

Example

When actions/checkout@v6 injects credentials like:

[includeIf "gitdir:/home/runner/work/repo/.git"]
  path = /home/runner/work/_temp/git-credentials-123.config

The new code removes the entire includeIf section, ensuring the PAT token provided to the action takes precedence.

Testing Instructions

  1. Use actions/checkout@v6 in a workflow
  2. Deploy to a different repository using a PAT via the token: input
  3. Verify deployment succeeds and commits are attributed to PAT owner, not github-actions[bot]

Alternatively, verify the existing test suite passes with the new includeIf removal test case.

Additional Notes

Backward compatible - no behavior change for SSH keys or non-CI environments. All 61 tests pass with no security issues.

Original prompt

This section details on the original issue you should resolve

<issue_title>bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling</issue_title>
<issue_description>### Describe the bug

When using actions/checkout@v6 together with github-pages-deploy-action@v4, cross-repository deployments always authenticate as github-actions[bot], even when a valid PAT is provided through the token: input.

This makes cross-repo deployments fail with 403, because the action still uses the GITHUB_TOKEN instead of the supplied PAT.

Root Cause

actions/checkout@v6 no longer injects credentials via:

http.https://github.com/.extraheader

Instead, it writes GITHUB_TOKEN credentials into autogenerated config files such as:

/home/runner/work/_temp/git-credentials-xxx.config

and injects them into Git using:

[includeIf "gitdir:/.../.git"]
  path = /home/runner/.../git-credentials-xxx.config

github-pages-deploy-action only clears the old extraheader mechanism (PR JamesIves/github-pages-deploy-action#587), but does not remove or override these new includeIf credential files.

As a result:

  • Git still loads the includeIf credentials => uses GITHUB_TOKEN
  • PAT provided via token: is ignored
  • Deployment fails with:
Permission to <target-repo>.git denied to github-actions[bot].

Reproduction Steps

Source repo: nirooxx/ghp-deploy-repro-source

Logs

remote: Permission to ... denied to github-actions[bot].

Workflow

name: repro-gh-pages-deploy

on:
  push:
    branches: [ main ]

jobs:
  repro:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout source
        uses: actions/checkout@v6   # Important: Version with includeIf

      - name: Create dummy site
        run: |
          mkdir -p dist
          echo "<h1>Hello from repro</h1>" > dist/index.html

      - name: Debug git config
        run: |
          echo "=== DEBUG: .git/config ==="
          cat .git/config
          echo "=== DEBUG: includeIf credentials ==="
          git config --show-origin --get-regexp 'includeIf\.gitdir:.*\.path' || true

      - name: Deploy via github-pages-deploy-action
        uses: JamesIves/github-pages-deploy-action@v4
        with:
          branch: main
          folder: dist
          repository-name: nirooxx/ghp-deploy-repro-target
          token: ${{ secrets.CROSS_REPO_PAT }}

Additional Comments

Expected Behavior

When a PAT is provided via token:, it must fully override all credentials installed by actions/checkout, including those injected through includeIf.

Suggested Fix

One of:

  1. Remove all includeIf sections pointing to autogenerated credential files before performing the deploy.
  2. Override all Git credential helpers so that the provided PAT always takes precedence.
  3. Document that with checkout@v6, users must set:
with:
  persist-credentials: false

to avoid the injected GITHUB_TOKEN.

Why This Matters

This is currently a hard blocker for all cross-repo deployments using:

  • checkout@v6
  • github-pages-deploy-action
  • PAT-based authentication

because the PAT is silently ignored and replaced by github-actions[bot].</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Fix cross-repo deploy using PAT with checkout action Fix cross-repo deployment with actions/checkout@v6 includeIf credentials Dec 4, 2025
Copilot AI requested a review from JamesIves December 4, 2025 14:23
@JamesIves JamesIves marked this pull request as ready for review December 8, 2025 14:52
@JamesIves JamesIves merged commit 1d137fd into dev Dec 8, 2025
3 checks passed
@JamesIves JamesIves deleted the copilot/fix-cross-repo-deployment-issue branch December 8, 2025 14:52
jakelishman added a commit to jakelishman/openqasm that referenced this pull request Dec 11, 2025
@jakelishman
Bump version of docs-deployment action
9ac2770 
The update to `actions/checkout@v6` caused a modification to the
permissions system that resulted in 403 errors, which the newer version
of this action should fix.

See JamesIves/github-pages-deploy-action#1929
for more detail.
@jakelishman jakelishman mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JamesIves JamesIves Awaiting requested review from JamesIves JamesIves is a code owner

Assignees

@JamesIves JamesIves

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling

2 participants

@JamesIves