actions/checkout "could not read Username: terminal prompts disabled" in CI
git needs credentials for a private HTTPS remote and found none, so it tried to prompt for a username. CI has no terminal, so git aborts with "terminal prompts disabled". The remote is private and no token was supplied to that fetch.
What this error means
A checkout or submodule fetch fails with "fatal: could not read Username for 'https://github.com': terminal prompts disabled". Public repos clone fine; the failure is always on a private repo or private submodule.
fatal: could not read Username for 'https://github.com': terminal prompts disabled
fatal: clone of 'https://github.com/acme/private-lib.git' into submodule path failedCommon causes
The default GITHUB_TOKEN cannot read another private repo
actions/checkout authenticates the main repo with the automatic GITHUB_TOKEN, but that token is scoped to the current repository. A private submodule or second repo it does not cover gets an anonymous request, and git prompts.
A raw git clone step ran without embedding a token
A hand-written git clone https://github.com/org/repo step (outside actions/checkout) sends no credentials, so git falls back to prompting and fails.
How to fix it
Pass a token that can read every repo you fetch
- Create a PAT or GitHub App token with read access to the private submodule/repo.
- Store it as a secret and hand it to actions/checkout via the
tokeninput. - For submodules, the same token is reused when
submodulesis set.
- uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ secrets.REPO_READ_PAT }}Rewrite HTTPS to an authenticated URL for raw clones
If you must clone by hand, inject the token into the URL via an insteadOf rewrite instead of an inline credential.
git config --global url."https://x-access-token:${{ secrets.REPO_READ_PAT }}@github.com/".insteadOf "https://github.com/"
git clone https://github.com/acme/private-lib.gitHow to prevent it
- Use a token with read scope for every private repo a job touches, not just the current one.
- Prefer actions/checkout with
tokenandsubmodulesover hand-written clone steps. - Never rely on the default GITHUB_TOKEN to reach a different private repository.