Checkouts in composite action override tokens from parent workflow

[mkesper]

This is not a bug but might be helpful for other people banging their head against the wall:
As we had several actions sharing deployment and testing I turned these steps into a composite action (https://docs.github.com/en/actions/tutorials/create-actions/create-a-composite-action#creating-a-composite-action-within-the-same-repository). The alternative was to call a workflow which is only possible on job level, not on steps level (D'oh!).
At the beginnging of the composite action you need to check out the repo to do anything with it.
This Github login overwrote my first login with a PAT, leading to not being able to push to main (due to branch protection) in only one constellation of my jobs...
Solution: Allow passing the PAT to the composite action and do the checkout with the (optional) input token.

Fixed minimal example:

Job:

# These are for the GITHUB_TOKEN only
permissions:
  contents: read

  deployStage:
    steps:
      - name: Check out code
        uses: actions/checkout@v5
        with:
          token: '${{ secrets.BOT_TOKEN }}'

      - name: Deploy to Production and test
        uses: ./.github/actions/deploy_stage
        with:
          token: '${{ secrets.BOT_TOKEN }}'

      - name: Commit to protected branch
      ...

.github/actions/deploy_stage/action.yml:

# Composite GitHub Action to deploy to a stage (staging or production) and run tests
name: Deploy Stage
description: 'Deploy to a stage (staging or production) and run tests'
inputs:
  token:
    description: 'GitHub token for committing changes'
    required: false
    default: '${{ github.token }}'

runs:
  using: "composite"
  steps:
    - name: Check out code
      uses: actions/checkout@v5
      with:  ## Without this, we would overwrite the parent token!
        token: ${{ inputs.token }}

[stefanzweifel]

Thanks for sharing @mkesper 👏

[mkesper]

To update: You don't actually need / want to do a checkout in a composite action. It really runs in the same context. Found that out when encountering another error (overriding a commit created in the Github action).