Error 403 using this at SSO Organization Level

[fiddlermikey]

I think I'm running into a permissions issue but hoping someone can help shed light on this 403 error I'm getting. I have an action that takes an Organization and Repository Name as inputs and should pull the latest release artifact from the repo.

I have tried various combinations to try to narrow this down.

• As a user, I can pull my own public and private repos
• Transferred script to non-enterprise/SSO org
• As a Org (non-enterprise/SSO) I can pull my public and private repos
• Transferred action/workflow to Org using SSO
• Added personal PAN with full access and copied the key to a secret at the SSO Org level
• As SSO Org I can pull my user's public repos
• As SSO Org I get 403 error when trying to pull a public repo owned by the SSO Org

I find tables helpful, so I made one:

Script owner	Target Repo Owner	Repo Visibility	Result
User	User	Private	Ok
UserOrg	UserOrg	Private	Ok
UserEntOrg	User	Public	Ok
UserEntOrg	UserEntOrg	Public	403 Error

Can anyone help me understand what needs to be updated? Is it the repo or action that is failing authorization? How do I track that down?

Update: I just tried downloading the artifact from the same repo where this action is run from, so not even from a different repo, and received the 403 error.

The workflow file is pretty basic:

on:
  workflow_dispatch:
    inputs:
      org:
        description: 'Project to sign'
        default: 'fiddlermikey'
        required: true
      repo:
        description: 'Project to sign'
        default: 'integ-testing'
        required: true

jobs:
    runs-on: windows-latest

    steps:
    - name: Download Release Asset
      uses: robinraju/[email protected]
      with:
        repository: "${{ github.event.inputs.org }}/${{ github.event.inputs.repo }}"
        token: ${{ secrets.TEST_PRIVATEACCESS }} # Org-level secret defined using personal PAN
        latest: true
        fileName: "*.zip"

[fiddlermikey]

I found the github-api-key was the problem, at least for public repos. Our company uses an Enterprise Account and it seems to be a required parameter in my case. I still cannot download from private repos. Is this by design?

[robinraju]

@fiddlermikey I recently added support for GH Enterprise as part of this issue #463
It was added after the release of v1.4. You should be able to use it by specifying the commit hash from the main branch as follows.
A new input needs to be specified for Enterprise server github-api-url

- uses: robinraju/release-downloader@0ea540940ee276d96c1b1aaed5e1118aaabdcec2
  with:
    repository: "owner/repo"
    latest: true
    fileName: "foo.zip"
    token: "your token"
    github-api-url: "https://[enterprise-hostname]/api/v3"

Can you try this and let me know if it works for you?

[fiddlermikey]

Yes, I added the comment/answer above yours. I found the issue while scanning through the yml/js sources. Thank you for the quick reply. This action is going to make my task much easier.

Question: Should this work on private repos or only public ones?

[robinraju]

It should work on a private repo as long as the token created allow access to the repo.
I haven't used GH enterprise before, but if your repo has a custom domain, I think the new input github-api-url which ends with /api/v3 should be specified as well.

[fiddlermikey]

Thank you for your responses.

It should work on a private repo as long as the token created allow access to the repo. I haven't used GH enterprise before, but if your repo has a custom domain, I think the new input github-api-url which ends with /api/v3 should be specified as well.

I created a PAT for my user with every permission applied. I added the key to my Organization secrets (TEST_PRIVATEACCESS ) and pass that secret name as the token (token: ${{ secrets.TEST_PRIVATEACCESS }} but I still cannot download a private repo.

The log shows the permissions below. Is there an additional permission I need to make this work?

    GITHUB_TOKEN Permissions - default GITHUB_TOKEN
    Actions: write
    Checks: write
    Contents: write
    Deployments: write
    Discussions: write
    Issues: write
    Metadata: read
    Packages: write
    Pages: write
    PullRequests: write
    RepositoryProjects: write
    SecurityEvents: write
    Statuses: write

[robinraju]

@fiddlermikey I'm not sure why its still failing for you. It should work if the token is created as described here: https://docs.github.com/en/[email protected]/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
Basically, you just need the repo permission set.

Could you please paste your workflow step here? I can verify if you're missing something.
Please check the following

• Personal access token with access to repo
• Github API URL. default is api.github.com. If your company has a different domain, check that.