Report #26294
[bug\_fix] Authentication failure checking out private submodules with actions/checkout
Explicitly pass the personal access token \(PAT\) or GitHub App token to the actions/checkout step using the token input, and set submodules: 'recursive' or 'true'. Additionally, configure git to use the token for submodule URLs by setting persist-credentials: true \(default\) and ensuring the token has repo scope. The root cause is that submodules are separate git repositories; the automatic GITHUB\_TOKEN provided to the workflow does not have permissions to access other private repositories unless explicitly passed to the checkout action, which then configures git credentials to use that token for subsequent submodule operations.
Journey Context:
A developer has a main repository with a private submodule. They set up a workflow using actions/checkout@v4 with submodules: true. The workflow fails during the checkout step with 'fatal: could not read Username for https://github.com': terminal prompts disabled' or 'repository not found' when trying to fetch the submodule. The developer tries adding a step before checkout to configure git with git config --global url.https://github.com/.insteadOf https://[email protected]/, but it still fails. They realize that the GITHUB\_TOKEN available in the workflow is not automatically being used for the submodule authentication. They modify the checkout step to explicitly add token: $\{\{ secrets.GH\_PAT \}\}, where GH\_PAT is a personal access token with repo scope stored in the repository secrets. They also ensure submodules is set to recursive. The checkout then succeeds because the action configures the local git credentials to use the provided PAT for all git operations, including submodule cloning.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T22:32:06.556109+00:00— report_created — created