Skip to content

Using persist-credentials: false leads to could not read Username for 'https://github.com': No such device or address #673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
icemac opened this issue Nov 26, 2024 · 4 comments
Closed

Using persist-credentials: false leads to could not read Username for 'https://github.com': No such device or address #673

icemac opened this issue Nov 26, 2024 · 4 comments
Labels
good first issue Good for newcomers status: pinned Should not be labeled as stale type: docs Documentation changes

Comments

@icemac
Copy link

icemac commented Nov 26, 2024

Describe the bug
Using persist-credentials: false in a private repository for actions/checkout@v4 as suggested by https://github.com/woodruffw/zizmor leads to could not read Username for 'https://github.com/': No such device or address

Workflow used

      - uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ secrets.COMMIT_ACTIONS_TOKEN }}
...
      - name: Commit changes
        uses: EndBug/add-and-commit@v9
        with:
          committer_name: GitHub Actions
          committer_email: [email protected]
          message: Version synchronisation
          add: '["toolkit/deps.cfg", "dependabot/requirements.txt"]'

Expected behavior
The documentation suggests to update to actions/checkout@v2 for the error message I saw.
Maybe this just needs to be added to the documentation as another source for this error.

Logs

Run EndBug/add-and-commit@v9 

Running in /home/runner/work/...
Add input parsed as string array, running 2 git add commands.
> Using 'dependabot[bot] ' as author.
> Using custom committer info: GitHub Actions 
> Using "Version synchronisation" as commit message.
> Internal logs
  > Staging files...
  > Adding files...
  > No files to remove.
  > Checking for uncommitted changes in the git working tree...
  > Found 1 changed files.
  > Fetching repo...
  Error: Error: fatal: could not read Username for 'https://github.com/': No such device or address
@icemac icemac added the status: pending More info is needed before deciding what to do label Nov 26, 2024
@EndBug
Copy link
Owner

EndBug commented Nov 26, 2024

Hmm yeah, makes sense that persist-credentials: false causes this issue, as then add-and-commit has no credentials to access the repo. It's worth mentioning this in https://github.com/EndBug/add-and-commit#about-actionscheckout

@EndBug EndBug added type: docs Documentation changes good first issue Good for newcomers status: pinned Should not be labeled as stale and removed status: pending More info is needed before deciding what to do labels Nov 26, 2024
@EndBug EndBug closed this as completed in b27b481 Nov 26, 2024
@EndBug
Copy link
Owner

EndBug commented Nov 26, 2024

@all-contributors please add @icemac for their docs contribution

@allcontributors allcontributors bot mentioned this issue Nov 26, 2024
Merged
@allcontributors AllContributors
Copy link
Contributor

@EndBug

I've put up a pull request to add @icemac! 🎉

@EndBug
Copy link
Owner

EndBug commented Nov 26, 2024

Thanks for the suggestion :)

@AntonioVentilii AntonioVentilii mentioned this issue Apr 1, 2025
Merged
AntonioVentilii added a commit to dfinity/oisy-wallet that referenced this issue Apr 1, 2025
@AntonioVentilii @github-actions @bitdivine
fix(devops): do not persist credentials in checkout action (#5543)
e47d165 
# Motivation

An apparently known security issue of `actions/checkout` is the default
of `persist-credentials` set to `true`. It was requested to the Github
developers to change it (see
actions/checkout#485), but it does not seem
that it is a plan in the short-terms.

So, for now we solve it our way.

# Changes

- Set `persist-credentials` to `false` in all the uses of
`actions/checkout`.
- Created new action to `add-and-commit` since the existing
`EndBug/add-and-commit` one does not work well if we do not persist the
credentials according to
[documentation](https://github.com/EndBug/add-and-commit?tab=readme-ov-file#about-actionscheckout)
(see EndBug/add-and-commit#673 too).

# Tests

CIs work as they are supposed to.

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Max <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers status: pinned Should not be labeled as stale type: docs Documentation changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@icemac @EndBug