Authentication
Some IVPM dependencies are private git repositories, or you may simply want to
avoid GitHub’s unauthenticated API rate limits when resolving GitHub releases.
The token input handles both.
Default token
By default the action uses ${{ github.token }} (the automatically-provided
workflow token). When a token is present, the action:
exports
IVPM_GIT_AUTH_ORDER=gh,httpsso IVPM prefers token-based auth;runs
gh auth setup-gitso the token is usable forhttpsclones.
The default workflow token has contents:read on the repository running the
workflow. That is enough for public deps and for private deps that live in the
same repo.
Private cross-repo dependencies
The default github.token cannot read other private repositories. If your
manifest pulls private deps from other repos, provide a Personal Access Token or
GitHub App token with contents:read on those repos:
- uses: fvutils/ivpm-setup@v1
with:
token: ${{ secrets.IVPM_DEPS_TOKEN }}
Store the token as an encrypted repository or organization secret — never inline it in the workflow.
How IVPM uses the auth order
IVPM_GIT_AUTH_ORDER controls the order IVPM tries git authentication methods
(for example gh,https or gh,ssh,https). The action sets gh,https when
a token is available; you can override it in later steps by exporting a different
value before invoking ivpm yourself.