Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Fix cross-repo deployment with actions/checkout@v6 includeIf credentials #1929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: dev
Choose a base branch
Loading
from
Draft

Fix cross-repo deployment with actions/checkout@v6 includeIf credentials #1929

Copilot wants to merge 3 commits into from
+90 −5

Conversation

Copy link
Contributor

Copilot AI commented Dec 4, 2025
edited
Loading

Description

actions/checkout@v6 changed credential injection from http.extraheader to includeIf directives in git config. Existing code only removed extraheader, causing cross-repo deployments to use github-actions[bot] instead of provided PAT tokens, resulting in 403 errors.

Changes

  • Added includeIf credential removal in src/git.ts init():

    • Queries includeIf.*.path git config entries
    • Removes each includeIf section via git config --remove-section
    • Runs under same conditions as existing extraheader removal (CI environment, non-SSH)
    • Silently continues if no includeIf directives exist

  • Updated test expectations in __tests__/git.test.ts and __tests__/main.test.ts:

    • Incremented execute call counts to account for new includeIf query
    • Added test case validating includeIf section removal

Example

When actions/checkout@v6 injects credentials like:

[includeIf "gitdir:/home/runner/work/repo/.git"]
  path = /home/runner/work/_temp/git-credentials-123.config

The new code removes the entire includeIf section, ensuring the PAT token provided to the action takes precedence.

Testing Instructions

  1. Use actions/checkout@v6 in a workflow
  2. Deploy to a different repository using a PAT via the token: input
  3. Verify deployment succeeds and commits are attributed to PAT owner, not github-actions[bot]

Alternatively, verify the existing test suite passes with the new includeIf removal test case.

Additional Notes

Backward compatible - no behavior change for SSH keys or non-CI environments. All 61 tests pass with no security issues.

Original prompt

This section details on the original issue you should resolve

<issue_title>bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling</issue_title>
<issue_description>### Describe the bug

When using actions/checkout@v6 together with github-pages-deploy-action@v4, cross-repository deployments always authenticate as github-actions[bot], even when a valid PAT is provided through the token: input.

This makes cross-repo deployments fail with 403, because the action still uses the GITHUB_TOKEN instead of the supplied PAT.

Root Cause

actions/checkout@v6 no longer injects credentials via:

http.https://github.com/.extraheader

Instead, it writes GITHUB_TOKEN credentials into autogenerated config files such as:

/home/runner/work/_temp/git-credentials-xxx.config

and injects them into Git using:

[includeIf "gitdir:/.../.git"]
  path = /home/runner/.../git-credentials-xxx.config

github-pages-deploy-action only clears the old extraheader mechanism (PR JamesIves/github-pages-deploy-action#587), but does not remove or override these new includeIf credential files.

As a result:

  • Git still loads the includeIf credentials => uses GITHUB_TOKEN
  • PAT provided via token: is ignored
  • Deployment fails with:
Permission to <target-repo>.git denied to github-actions[bot].

Reproduction Steps

Source repo: nirooxx/ghp-deploy-repro-source

Logs

remote: Permission to ... denied to github-actions[bot].

Workflow

name: repro-gh-pages-deploy

on:
  push:
    branches: [ main ]

jobs:
  repro:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout source
        uses: actions/checkout@v6   # Important: Version with includeIf

      - name: Create dummy site
        run: |
          mkdir -p dist
          echo "<h1>Hello from repro</h1>" > dist/index.html

      - name: Debug git config
        run: |
          echo "=== DEBUG: .git/config ==="
          cat .git/config
          echo "=== DEBUG: includeIf credentials ==="
          git config --show-origin --get-regexp 'includeIf\.gitdir:.*\.path' || true

      - name: Deploy via github-pages-deploy-action
        uses: JamesIves/github-pages-deploy-action@v4
        with:
          branch: main
          folder: dist
          repository-name: nirooxx/ghp-deploy-repro-target
          token: ${{ secrets.CROSS_REPO_PAT }}

Additional Comments

Expected Behavior

When a PAT is provided via token:, it must fully override all credentials installed by actions/checkout, including those injected through includeIf.

Suggested Fix

One of:

  1. Remove all includeIf sections pointing to autogenerated credential files before performing the deploy.
  2. Override all Git credential helpers so that the provided PAT always takes precedence.
  3. Document that with checkout@v6, users must set:
with:
  persist-credentials: false

to avoid the injected GITHUB_TOKEN.

Why This Matters

This is currently a hard blocker for all cross-repo deployments using:

  • checkout@v6
  • github-pages-deploy-action
  • PAT-based authentication

because the PAT is silently ignored and replaced by github-actions[bot].</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits December 4, 2025 14:19
@JamesIves
Add includeIf credential removal for actions/checkout@v6 compatibility
90905bd 
Co-authored-by: JamesIves <10888441+JamesIves@users.noreply.github.com>
@JamesIves
Clarify comment about regex capturing section name without .path suffix
7b7af9e 
Co-authored-by: JamesIves <10888441+JamesIves@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix cross-repo deploy using PAT with checkout action Fix cross-repo deployment with actions/checkout@v6 includeIf credentials Dec 4, 2025
Copilot AI requested a review from JamesIves December 4, 2025 14:23
Copilot finished work on behalf of JamesIves December 4, 2025 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JamesIves JamesIves Awaiting requested review from JamesIves JamesIves is a code owner

Assignees

@JamesIves JamesIves

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling

2 participants

@JamesIves
Morty Proxy This is a proxified and sanitized view of the page, visit original site.