Skip to content

Latest commit

 

History

History
67 lines (45 loc) · 6.39 KB

allowing-a-prebuild-to-access-other-repositories.md

File metadata and controls

67 lines (45 loc) · 6.39 KB
Raw
title shortTitle intro versions type topics permissions product
Allowing a prebuild to access other repositories
Allow external repo access
You can permit your prebuild to access other {% data variables.product.prodname_dotcom %} repositories so that it can be built successfully.
fpt ghec
*
*
how_to
Codespaces
Set up
People with admin access to a repository can configure prebuilds for the repository.
{% data reusables.gated-features.codespaces-repo %}

By default, the {% data variables.product.prodname_actions %} workflow for a prebuild configuration can only access its own repository contents. Your project may use additional resources, located elsewhere, to build the development environment.

Allowing a prebuild read access to external resources

You can configure read access to other {% data variables.product.prodname_dotcom %} repositories, with the same repository owner, by specifying permissions in the devcontainer.json file used by your prebuild configuration. For more information, see "AUTOTITLE."

{% note %}

Notes:

  • You can only authorize read permissions in this way, and the owner of the target repository must be the same as the owner of the repository for which you're creating a prebuild. For example, if you're creating a prebuild configuration for the octo-org/octocatrepository, then you'll be able to grant read permissions for other repositories, such asocto-org/octodemo, if this is specified in the devcontainer.json file, and provided you have the permissions yourself.
  • You can't use wildcards to specify repositories. You must define permissions for each repository for which you want to grant access.

{% endnote %}

When you create or edit a prebuild configuration for a devcontainer.json file that sets up read access to other repositories with the same repository owner, you'll be prompted to grant these permissions when you click Create or Update. For more information, see "AUTOTITLE."

Allowing a prebuild write access to external resources

If your project requires write access to resources, or if the external resources reside in a repository with a different owner than the repository for which you are creating a prebuild configuration, you can use a {% data variables.product.pat_generic %} to grant this access.

You will need to create a new personal account and then use this account to create a {% data variables.product.pat_v1 %} with the appropriate scopes.

  1. Create a new personal account on {% data variables.product.prodname_dotcom %}.

    {% warning %}

    Warning: Although you can generate the {% data variables.product.pat_v1 %} using your existing personal account, we strongly recommend creating a new account with access only to the target repositories required for your scenario. This is because the access token's repository permission grants access to all of the repositories that the account has access to. For more information, see "AUTOTITLE" and "AUTOTITLE."

    {% endwarning %}

  2. Give the new account read access to the required repositories. For more information, see "AUTOTITLE."

  3. While signed into the new account, create a {% data variables.product.pat_v1 %} with the repo scope. Optionally, if the prebuild will need to download packages from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}, also select the read:packages scope. For more information, see "AUTOTITLE."

    Screenshot of the "Select scopes" configuration options for a {% data variables.product.pat_v1 %}, with the "repo" and "read:packages" scopes selected.

    If the prebuild will use a package from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}, you will need to either grant the new account access to the package or configure the package to inherit the access permissions of the repository you are prebuilding. For more information, see "AUTOTITLE." {% ifversion ghec %}

  4. Click Configure SSO and authorize the token for use with SAML single sign-on (SSO), so that it can access repositories that are owned by organizations with SSO enabled. For more information, see "AUTOTITLE."

    Screenshot of the "{% data variables.product.pat_v1_caps_plural %}" page. The "Configure SSO" button for a PAT is highlighted with a dark orange outline.

{% endif %}

  1. Copy the token string. You will assign this to a {% data variables.product.prodname_codespaces %} repository secret.
  2. Sign back into the account that has admin access to the repository.
  3. In the repository for which you want to create {% data variables.product.prodname_github_codespaces %} prebuilds, create a new {% data variables.product.prodname_codespaces %} repository secret called CODESPACES_PREBUILD_TOKEN, giving it the value of the token you created and copied. For more information, see "AUTOTITLE."

The {% data variables.product.pat_generic %} will be used for all subsequent prebuilds created for your repository. Unlike other {% data variables.product.prodname_codespaces %} repository secrets, the CODESPACES_PREBUILD_TOKEN secret is only used for prebuilding and will not be available for use in codespaces created from your repository.

Further reading