Cloning private github repository within organisation in actions

I have 2 private GitHub repositories (say A and B) in the organization (say ORG). Repository A has repository B in requirements.txt:

-e git+git@github.com:ORG/B.git#egg=B

And I have the following workflow for A (in .github/workflows/test.yml):

name: Python package

on: push

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v1

    - name: Install requirements
      run: |
        pip install -r requirements.txt

    - name: Test with pytest
      run: |
        pytest ./tests

As B is private, it fails on installing it.

Is it possible to install B while testing A in this workflow if they are in the same organization? How?

Since access tokens are bound to an account and have write access to all its private repos, it's a very bad solution.

Instead, use deploy keys.

Deploy keys are simply SSH keys that you can use to clone a repo.

1. Create a new SSH key pair on your computer
2. Put the public key in the private dependency repo's Deploy keys
3. Put the private key in the app repo's Actions secrets
4. Delete the keys from your computer

Once it's set, you can set the private key in the GitHub Action's SSH Agent. There's no need to import a third-party GitHub Action, a 2-liner will suffice.

eval `ssh-agent -s`
ssh-add - <<< '${{ secrets.PRIVATE_SSH_KEY }}'
pip install -r requirements.txt

I found that ssh-add command here.