I talked to a friend about the GitHub
actions/checkout action failing with a
400 error (see 20250906064710) and they
researched it for a bit.
They found this github repository: https://github.com/chrisliebaer/gitea-actions-fix/
In it, the repository details a few problems with using GitHub actions in Gitea (which Forgejo is a hard fork of) that it fixes, including:
- SSH URLs for submodules and private submodules don't work due to lack of authentication
- LFS checkout fails because the request to the server is malformed
- Private actions cannot be checked out because the runner token can't access the repository
In general, it seems like all of these problems
happen because actions/checkout doesn't
do authentication properly (in particular, it sends
a double auth header instead of using the credential
helper) and Gitea and Forgejo are more strict about
what can be done with the runner token.
Looking through the links, I find a workaround in a comment for actions/checkout#1830:
- uses: actions/checkout@v4 with: persist-credentials: 'true' # Optional; should be the default - name: Checkout lfs run: | git lfs install --local AUTH=$(git config --local http.${{ github.server_url }}/.extraheader) git config --local --unset http.${{ github.server_url }}/.extraheader git config --local http.${{ github.server_url }}/${{ github.repository }}.git/info/lfs/objects/batch.extraheader "$AUTH" git lfs pull
Updating the workflow to use this workaround fixes the problem. My workflow looked like this afterwards:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
lfs: false # Should be the default
- name: Checkout LFS
run: |
git lfs install --local
AUTH=$(git config --local http.${{ github.server_url }}/.extraheader)
git config --local --unset http.${{ github.server_url }}/.extraheader
git config --local http.${{ github.server_url }}/${{ github.repository }}.git/info/lfs/objects/batch.extraheader "$AUTH"
git lfs pull