From a GH action, how do you pull an NPM module from another private repo in the same org?

From a GH action, how do you pull an NPM module from another private repo in the same org?

  1. I understand that GITHUB_TOKEN is scoped to only the repo running the action.
  2. I’ve read to use PAT instead

Ok, but how do you actually do it??

What are the steps. Where does it go?

There are the things I’ve done thus far…

- name: Install NPM Packages
        run: yarn install
        env:
          NODE_AUTH_TOKEN: ${{ secrets.PAT }}

FAIL

- name: Install NPM Packages
        run: yarn install
        env:
          _authToken: ${{ secrets.PAT }}

FAIL

- name: Install NPM Packages
        run: yarn install
        env:
          GITHUB_TOKEN: ${{ secrets.PAT }}

FAIL

- name: Install NPM Packages
        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc

FAIL

I would think this is a really common use case, I’m surprised figuring this out is so cryptic.

@stoplion,

You can use the .npmrc to set the authorization information.
Here is a simple example to show how to that (more details see this repository):

  1. The .npmrc likes as this (see here):

    //npm.pkg.github.com/:_authToken=${PKG_AUTH_TOKEN}
    registry=https://npm.pkg.github.com/<owner>
    

    Replace “<owner>” with the name of the organization, use lowercase.

  2. The workflow likes as this (see here):

jobs:
  job1:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: 14

      - name: Download packages
        run: npm install @packagesrml/testnpm
        env:
          PKG_AUTH_TOKEN: ${{ secrets.PKG_AUTH_TOKEN }}