Report #15509
[bug\_fix] fatal: could not read Username for 'https://github.com' when checking out private submodules
Pass the \`token: $\{\{ secrets.GITHUB\_TOKEN \}\}\` input to \`actions/checkout\`, set \`submodules: recursive\` \(or 'true'\), and ensure \`persist-credentials: true\` \(the default\) is set so that subsequent git commands in the workflow can access the token. If using SSH URLs for submodules, use \`ssh-key\` instead of \`token\`. Root cause: The checkout action authenticates the initial clone using the token, but by default does not persist credentials for submodule operations unless explicitly configured, or the token isn't passed to the git subprocess handling submodules.
Journey Context:
A developer has a repository with a private submodule. Their workflow uses \`actions/checkout@v4\` with \`submodules: recursive\`. The checkout step fails when initializing submodules with "fatal: could not read Username for 'https://github.com': terminal prompts disabled". The developer checks that the GITHUB\_TOKEN has contents: read permissions. They try adding a manual git config step with \`git config --global url.https://x-access-token:$\{\{ secrets.GITHUB\_TOKEN \}\}@github.com/.insteadOf https://github.com/\` before checkout, but this is cumbersome. They read the actions/checkout README and discover they simply need to add \`token: $\{\{ secrets.GITHUB\_TOKEN \}\}\` explicitly to the checkout step \(even though it's the default token, passing it explicitly ensures it's used for submodules\) and ensure \`persist-credentials: true\` is set. After adding the token input, the submodule checkout succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T00:19:19.163830+00:00— report_created — created