What permissions does a fine-grained token need in order to access a private repository for the checkout action?

[arnodunstatter]

From within a workflow I'm trying to perform the checkout action to clone a private repository other than that which contains the workflow (i.e. the workflow is within repository A, but I'm trying to clone repository B, both of which are private and within the same organization).

Since the secondary repository is private I understand "${{ github.token }} is scoped to the current repository, so if [I] want to checkout a different repository that is private [I] will need to provide [my] own PAT" as mentioned here.

I understand I have two options:

1. use a classic token
2. use a fine-grained token.

According to the documentation on managing your personal access tokens "GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible."

I tried to do this, but received an error which directed me to the Get a Repository header in the Rest API documentation, which says very simply: The fine-grained token must have the following permission set: "Metadata" repository permissions (read) so I remade the token with access to that repository and with the metadata having read only access.

Still no dice, now I get an error saying:

  "C:\Program Files\Git\bin\git.exe" -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +refs/heads/development:refs/remotes/origin/development
  remote: Write access to repository not granted.
  Error: fatal: unable to access 'https://github.com/<my_organization>/<my_repository>/': The requested URL returned error: 403
  The process 'C:\Program Files\Git\bin\git.exe' failed with exit code 128

So then I made a new token and gave this one read access to metadata, and read and write access to both actions and workflows, but I just get the same error.

I was able to figure out a work around: I made my token with permissions as closely resembling those which are given to the default GITHUB_TOKEN. While this works for now, I would still like to know the minimal permissions necessary to make use of the checkout action.

Questions:

1. What are the minimal permissions necessary for a fine-grained token to enable the use of the checkout action?
2. Why does the checkout action need write access at all?

[FISHMANPET]

I made a token that had read on Contents and Metadata and I was able to checkout another private repository with no problem. I didn't read in your initial description that you actually gave it access to Contents so I wasn't sure if you'd done that initially or not.

I also use this running on an ubuntu-latest runner, whereas I see yours is Windows, though I would imagine that doesn't have any actual impact.

[Gekko0114]

I encountered the same issue. It would be appreciated if the guidance is written in the official document of this repo.