How do you use a composite action that exists in a private repository?

Question

We have a bunch of health checks against third-party services. We want them to run periodically because when they go down it affects our app just like a bug in our code. Knowing that "it's them not us" reduces significant troubleshooting time.

We've set this health check up via github actions with a scheduled run, but we want a HealthCheck per third-party service. That way, the slack message on failure will be very specific of what is down. But that is going to create a lot of duplicated yml content.

I discovered something called github composite actions and it seems to be intended for solving this problem, but I can't find information about whether or not a composite action can live in a private repository.

The documentation of the uses key only mentions public repositories when it mentions repositories at all. Is there a way to make a composite action in a private repository and use it?

I tried making their hello world example, ran it, and it ran correctly. Then I made the action repo private, and the repo using the action's build failed saying:

Unable to resolve action `user/repo@v1`, repository not found

Answer 1

Update (February 2023): this is now possible without jumping through any extra hoops, making Debos' answer by far the most simple way.

---

The recent answer added by gmode uses an SSH key instead of a personal access token, avoiding the problem of the overly broad permissions granted by the PAT, and I recommend to use that approach over the one described in my answer here.

---

Original answer:

You have to check out the repository containing your action using a personal access token first, then use a relative path to where you checked it out:

- name: Check out main repository
  uses: actions/checkout@v2

- name: Get composite run steps repository
  uses: actions/checkout@v2
  with:
    repository: myorg/myaction
    # Select revision
    ref: v1.0.0
    # Personal access token to check out private repository
    token: ${{ secrets.PAT_TOKEN }}
    # Indicate where to check action out to
    path: .github/myaction

- name: Run action from private repo
  uses: ./.github/myaction

This assumes that myaction is a repository with action.yml in its root directory. If that's not the case, the last uses step has to be adapted to use the correct path.

Notice that if you use dependabot to update your actions, the private action reference won't be updated.

At some point in the future, actions from internal repositories are going to be natively supported, see this issue from the GitHub roadmap, however as of October 2021 the issue was updated with the flag "github enterprise" meaning that it'll only be for GitHub Enterprise users.

Answer 2

Unless I'm missing something obvious since the 4th March the functionality was GA on dotcom as per the previously tracked issue making the above answer superseded. The only requirement now is for the private repo that contains the composites to allow access from other repos in the same org or enterprise. I hope it helps.

Answer 3

I used this little example of composite actions from GitHub and modified it to use my private repository building on Benjamin's excellent answer.

jobs:
  hello_world_job:
    runs-on: ubuntu-latest
    name: A job to say hello
    steps:
      - uses: actions/checkout@v3
      - name: Get composite run steps repository
        uses: actions/checkout@v3
        with:
          # action file is located in another repo called workflows at /workflows/actions/action.yaml
          repository: my-org/workflows
          #  ref: mybranch  # in case it's not master branch
          # use deploy key instead of personal access token
          ssh-key: ${{ secrets.WORKFLOWS_DEPLOYMENT_KEY }}
          path: .github/workflows
      - id: foo
        uses: ./.github/workflows/actions
        with:
          who-to-greet: 'Mona the Octocat'
      - run: echo random-number ${{ steps.foo.outputs.random-number }}
        shell: bash

A few caveats:

• Don't use personal access token. It's not recommended for this use case. Instead, create a deployment key as described here to access one specific repository where your actions are stored
• Don't use actions/checkout inside your composite action yaml. Post action will fail even if the action itself succeeds