Skip to content

bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling #1928

New issue
New issue
Open
#1929
Open
bug: 🐝 Cross-repo deploy always uses github-actions[bot] with actions/checkout@v6 due to new includeIf credential handling#1928
#1929
Assignees
JamesIvescopilot-swe-agent
Labels
bug 🐝This issue describes a bug.triage ⚠️
@nirooxx

Description

@nirooxx
nirooxx
opened on Dec 4, 2025

Describe the bug

When using actions/checkout@v6 together with github-pages-deploy-action@v4, cross-repository deployments always authenticate as github-actions[bot], even when a valid PAT is provided through the token: input.

This makes cross-repo deployments fail with 403, because the action still uses the GITHUB_TOKEN instead of the supplied PAT.

Root Cause

actions/checkout@v6 no longer injects credentials via:

http.https://github.com/.extraheader

Instead, it writes GITHUB_TOKEN credentials into autogenerated config files such as:

/home/runner/work/_temp/git-credentials-xxx.config

and injects them into Git using:

[includeIf "gitdir:/.../.git"]
  path = /home/runner/.../git-credentials-xxx.config

github-pages-deploy-action only clears the old extraheader mechanism (PR #587), but does not remove or override these new includeIf credential files.

As a result:

  • Git still loads the includeIf credentials => uses GITHUB_TOKEN
  • PAT provided via token: is ignored
  • Deployment fails with:
Permission to <target-repo>.git denied to github-actions[bot].

Reproduction Steps

Source repo: nirooxx/ghp-deploy-repro-source

Logs

remote: Permission to ... denied to github-actions[bot].

Workflow

name: repro-gh-pages-deploy

on:
  push:
    branches: [ main ]

jobs:
  repro:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout source
        uses: actions/checkout@v6   # Important: Version with includeIf

      - name: Create dummy site
        run: |
          mkdir -p dist
          echo "<h1>Hello from repro</h1>" > dist/index.html

      - name: Debug git config
        run: |
          echo "=== DEBUG: .git/config ==="
          cat .git/config
          echo "=== DEBUG: includeIf credentials ==="
          git config --show-origin --get-regexp 'includeIf\.gitdir:.*\.path' || true

      - name: Deploy via github-pages-deploy-action
        uses: JamesIves/github-pages-deploy-action@v4
        with:
          branch: main
          folder: dist
          repository-name: nirooxx/ghp-deploy-repro-target
          token: ${{ secrets.CROSS_REPO_PAT }}

Additional Comments

Expected Behavior

When a PAT is provided via token:, it must fully override all credentials installed by actions/checkout, including those injected through includeIf.

Suggested Fix

One of:

  1. Remove all includeIf sections pointing to autogenerated credential files before performing the deploy.
  2. Override all Git credential helpers so that the provided PAT always takes precedence.
  3. Document that with checkout@v6, users must set:
with:
  persist-credentials: false

to avoid the injected GITHUB_TOKEN.

Why This Matters

This is currently a hard blocker for all cross-repo deployments using:

  • checkout@v6
  • github-pages-deploy-action
  • PAT-based authentication

because the PAT is silently ignored and replaced by github-actions[bot].

Metadata

Metadata

Assignees

Labels

bug 🐝This issue describes a bug.triage ⚠️

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions