checkout: ::error::Input required and not supplied: token

Fyi @TomasVotruba here is an even shorter workaround 😃 You can use the truthy behavior to fallback the built-in token

token: ${{ secrets.MY_TOKEN || github.token }}

Sharing my fix for those (like me) who are hitting this during local dev with act (version 0.2.32). It was inspired by their docs: GITHUB_TOKEN.

1. Made a Github Personal Access Token (classic) with fill repo permissions (Full control of private repositories).
   • For my company, I also had to configure SSO
   • SEE: https://github.com/nektos/act#github_token
2. Added a local environment variable: export GITHUB_TOKEN="mySecret"
3. Here’s my yaml file:

      - uses: actions/checkout@v3

1. act -s GITHUB_TOKEN --container-architecture linux/amd64
   • I have --container-architecture linux/amd64 since I am using Mac M1

This at least unblocked my personal usage of act. Hope it helps someone out.

I started to have this issue in all the repositories which I set the token manually since yesterday or so. If I retrigger the build manually it works, also works sometimes automatically.

E.g. https://github.com/timonwong/vscode-shellcheck/runs/2077175092

This is not from fork, neither a pull request, so I wonder what’s happening.

It would be cool to get any feedback here. It isn’t very pleasant to constantly have to restart the workflows.

@ericsciple Could you please explain why that solves the issue? If github.token works, why don’t we directly use token: ${{ github.token }}?

EDIT: nevermind, turns out it’s by design: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

Landed here from a google search for “octokit input required and not supplied”. Same issue as the previous two commenters, but I’m noticing this behavior in the https://github.com/actions/github-script action instead of checkout.

Error: Unhandled error: Error: Input required and not supplied: github-token

Maybe 5 or so days ago, I noticed my auto-merge jobs failing in this way when attempting to merge PRs from dependabot.

I was having the same problem with my private repo in my organization when using reusable workflows. I found out that reusable workflows do not pass the secrets by default from the caller workflow to the reusable workflow, instead, you have to pass the secrets according to this documentation using-inputs-and-secrets-in-a-reusable-workflow. Following the 3 steps I was able to solve my problem.

Basically, if you are using reusable workflows you have to:

1. Define your secret in your reusable workflow file
2. Call the secret in your reusable workflow file
3. Pass the secret from the caller workflow to the reusable workflow file using secrets keyword
4. Enjoy!

Working for me, after changed event type pull_request to pull_request_target.

refer: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

We’re encountering this issue too for almost a week now. It suddenly started without a change in our workflows.

I’m getting

##[error]Input required and not supplied: token

From this workflow file:

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.head_ref }}
        token: ${{ secrets.UBERSHMEKEL_ALT_TOKEN }}

I think the problem is actually mentioned on GitHub’s secrets page:

Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.

The “Learn more” links to this page that doesn’t provide more information but repeats the message: https://help.github.com/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

I found this discussion on the topic of forks getting some secrets access as “security by obscurity” https://github.community/t/make-secrets-available-to-builds-of-forks/16166/32

@felipecrs I looked at the run you linked, and it looks like it’s because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I’m going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

I’m running into this issue in a private repository where a check is failing on pull requests opened by dependabot.

If I remove

        with:
          token: ${{ secrets.PAT_TOKEN }}

from

      - name: Checkout code
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.PAT_TOKEN }}

the workflow still fails.

What’s the recommended approach on getting my workflow to run in my private repository, even if it’s opened by dependabot?

Suddenly got this on my repos (auto merging dependabot PRs) which worked fine for 6+months.

Hello everyone, for those

1. Who are using act for local runs like @jmclean-starburst mentioned
2. Still facing this problem, here’s an update.

Here’s how my .github/workflows/deployment.yml looks like.

name: CI/CD Pipeline

on:
  push:
    branches:
      - main

jobs:
  github-actions-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout psycopg2 Repository
        uses: actions/checkout@v4
        with:
          repository: jkehler/awslambda-psycopg2
          path: ./awslambda

As you notice the repository awslambda-psycopg2 is public, but based on the docs act provides

GitHub automatically provides a GITHUB_TOKEN secret when running workflows inside GitHub.

I understood that when your workflow runs in github actions it creates a token automatically on your user’s behalf, so to work this locally I created a PAT with no access what so ever and passed it as a secret to act and now it works as expected 🥳

act -s GITHUB_TOKEN=$ACT_GITHUB_TOKEN

@felipecrs I looked at the run you linked, and it looks like it’s because you are using the secrets context and the run was triggered by dependabot.

As @Xunnamius and @MannarAmuthan this behavior change is intentional and related to this recent change: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

I’m going to close this issue. If anyone is still having an issue, please open a new issue.

In summary, this error is expected if you are attempting to use a secret on a fork PR or a run triggered by dependabot.

However i think just chaning the event type to pull_request_target is regarded as unsecure when you are using secrets in your workflow. Refer: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

This would mean anyone forking the repo could steal secrets and do any sort of malicious actions. I guess for private repos this will not exist but for public repos it will.

So any other solutions here?

Is this still an issue? I have the below that fails, even though the repository (viaduct-ai/kustomize-sops) is public

> act --job deploy --eventpath .github/_act/event_deploy_argocd.json                
[Deploy ArgoCD/deploy] 🚀  Start image=node:12-buster-slim
[Deploy ArgoCD/deploy]   🐳  docker run image=node:12-buster-slim platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -m 0777 -p /var/run/act] user=root
[Deploy ArgoCD/deploy] ⭐  Run Checkout KSOPS code
INFO[0001]   ☁  git clone 'https://github.com/actions/checkout' # ref=v2 
[Deploy ArgoCD/deploy]   🐳  docker cp src=/Users/alpha-wolf/.cache/act/actions-checkout@v2/ dst=/var/run/act/actions/actions-checkout@v2/
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[mkdir -p /var/run/act/actions/actions-checkout@v2/] user=
[Deploy ArgoCD/deploy]   🐳  docker exec cmd=[node /var/run/act/actions/actions-checkout@v2/dist/index.js] user=
[Deploy ArgoCD/deploy]   ❓  ::save-state name=isPost,::true
[Deploy ArgoCD/deploy]   💬  ::debug::GITHUB_WORKSPACE = '/Users/alpha-wolf/dev/ego-ops'
[Deploy ArgoCD/deploy]   💬  ::debug::qualified repository = 'viaduct-ai/kustomize-sops'
[Deploy ArgoCD/deploy]   💬  ::debug::ref = 'ref/tags/v2.5.7'
[Deploy ArgoCD/deploy]   💬  ::debug::commit = 'undefined'
[Deploy ArgoCD/deploy]   💬  ::debug::clean = true
[Deploy ArgoCD/deploy]   💬  ::debug::fetch depth = 1
[Deploy ArgoCD/deploy]   💬  ::debug::lfs = false
[Deploy ArgoCD/deploy]   💬  ::debug::submodules = false
[Deploy ArgoCD/deploy]   💬  ::debug::recursive submodules = false
[Deploy ArgoCD/deploy]   ❗  ::error::Input required and not supplied: token
[Deploy ArgoCD/deploy]   ❌  Failure - Checkout KSOPS code
Error: exit with `FAILURE`: 1

Workflow:

name: Deploy ArgoCD
on:
  workflow_dispatch:
    inputs:
      environment:
        description: The environment to deploy ArgoCD to
        required: true
        default: dev
      region:
        description: The region to deploy ArgoCD to
        required: true
        default: us-east-2
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout KSOPS code
        uses: actions/checkout@v2
        with:
          repository: viaduct-ai/kustomize-sops
          ref: ref/tags/v2.5.7
          path: _ksops

FYI: I have done brew unlink act && brew install act --HEAD

So far I’ve found this workaround: https://github.com/google/gvisor/commit/315c167de2acddeef90b2a4765c9736e35523129

---

Another shorter workaround: https://github.com/rectorphp/rector/commit/2243a814457690f61b38cfbb63421f7812a3b43c

Hi @cwong-archy, yes. According to the docs you have to define the secret inside the reusable workflow definition.

Same error here ):

It is clearly not fixed. I just added an organization secrets with a new PATH and I get that error. I’m unable to checkout a private repo (from the same organization) within my workflows.

edit: one job is using a workflow_call (using a workflow file from the same repo). Could that be the issue?