Fine-grained token forbidden when pulling private repo but classic PAT works fine

[piotrekkr]

Select Topic Area

Question

Body

Hello. I'm testing new fine grained PAT and cannot seem to make it work. I can't checkout additional repo code from my org.

Here is my workflow where I'm testing it

name: 06 - Debug
on:
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  debug_job:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - run: echo 'OK' >> test.txt
      - name: Checkout main code
        uses: actions/checkout@v4
        with:
          # actual branch of PR
          ref: ${{ github.event.pull_request.head.sha }}
          path: main
      - name: Checkout demo-repo-b
        uses: actions/checkout@v4
        with:
          repository: ${{ github.repository_owner }}/demo-repo-b
          ref: main
          token: ${{ secrets.MY_PAT }}
          path: demo-repo-b
      - run: ls -la

MY_PAT is a fine grained token with access to all repositories (read for contents and metadata)

I'm also added as Admin to demo-repo-b

And I get this error:

  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +refs/heads/main*:refs/remotes/origin/main* +refs/tags/main*:refs/tags/main*
  remote: Write access to repository not granted.
  Error: fatal: unable to access 'https://github.com/<ORG>/demo-repo-b/': The requested URL returned error: 403
  The process '/usr/bin/git' failed with exit code 128
  Waiting 18 seconds before trying again
...

I also tried to change contents permission in PAT to read & write but it fails the same.

I also create classic PAT with full repo permissions, just to test if this will work. It worked without any issues.

Do I need to set some additional permissions in fine-grained PAT to be able to checkout code from repos? Thanks

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[piotrekkr]

Based on upvotes I can see that few people have similar issues. Anyone know why it is not working?