Summary
Using setup-job-workspace-action (which replaces GITHUB_WORKSPACE with a symlink) followed by actions/checkout@v6 causes a credential authentication failure with:
fatal: could not read Username for 'https://github.com/': terminal prompts disabled
Root cause
actions/checkout@v6 changed how it stores credentials (compared to v5). Instead of writing http.https://github.com/.extraheader directly into .git/config, it now writes includeIf "gitdir:..." directives that reference the credential config file:
[includeIf "gitdir:/home/runner/work/repo/repo/.git"]
path = /home/runner/work/_temp/git-credentials-<uuid>.configThe gitdir: path is derived from GITHUB_WORKSPACE, which is a symlink after setup-job-workspace-action runs.
Git resolves symlinks when evaluating gitdir: conditions, so the resolved .git path (the real path) never matches the symlink-based path in includeIf. As a result, the credential config file is never loaded and the fetch fails.
This is tracked upstream in actions/checkout#2393.
Steps to reproduce
jobs:
build:
runs-on: [self-hosted]
steps:
- uses: DeNA/setup-job-workspace-action@v4 # GITHUB_WORKSPACE becomes a symlink here
- uses: actions/checkout@v6 # writes includeIf with symlink path → auth failsExpected behavior
actions/checkout@v6 should authenticate successfully regardless of whether GITHUB_WORKSPACE is a symlink.
Actual behavior
Setting up auth
/usr/bin/git config --local includeIf.gitdir:/home/runner/work/repo/repo/.git.path \
/home/runner/work/_temp/git-credentials-<uuid>.config
Fetching the repository
Error: fatal: could not read Username for 'https://github.com/': terminal prompts disabled
The gitdir: condition uses the symlink path, but git evaluates it against the real resolved path — they never match.
Workarounds
- Pin to
actions/checkout@v5 — v5 writes credentials directly into .git/config as http.https://github.com/.extraheader, which is unaffected by symlinks.
Notes
- The fix for
actions/checkout is proposed in actions/checkout#2394 (resolve symlinks before writing gitdir: paths), but has not been released yet.
- This action's own
actions-test.yml avoids the issue by using persist-credentials: false in its integration tests, but the README examples do not mention this caveat.
Summary
Using
setup-job-workspace-action(which replacesGITHUB_WORKSPACEwith a symlink) followed byactions/checkout@v6causes a credential authentication failure with:Root cause
actions/checkout@v6changed how it stores credentials (compared to v5). Instead of writinghttp.https://github.com/.extraheaderdirectly into.git/config, it now writesincludeIf "gitdir:..."directives that reference the credential config file:The
gitdir:path is derived fromGITHUB_WORKSPACE, which is a symlink aftersetup-job-workspace-actionruns.Git resolves symlinks when evaluating
gitdir:conditions, so the resolved.gitpath (the real path) never matches the symlink-based path inincludeIf. As a result, the credential config file is never loaded and the fetch fails.This is tracked upstream in actions/checkout#2393.
Steps to reproduce
Expected behavior
actions/checkout@v6should authenticate successfully regardless of whetherGITHUB_WORKSPACEis a symlink.Actual behavior
The
gitdir:condition uses the symlink path, but git evaluates it against the real resolved path — they never match.Workarounds
actions/checkout@v5— v5 writes credentials directly into.git/configashttp.https://github.com/.extraheader, which is unaffected by symlinks.Notes
actions/checkoutis proposed in actions/checkout#2394 (resolve symlinks before writinggitdir:paths), but has not been released yet.actions-test.ymlavoids the issue by usingpersist-credentials: falsein its integration tests, but the README examples do not mention this caveat.