Install GitHub Package via SSH

I have a private repo with a GitHub package that gets created in a GitHub Action. From my personal machine, I can install it via:

"@myOrg/myRepo": "^1.0.0"

However, when I try to install this repo elsewhere I run into problems since it is a private repo. I know there are some limitations with access right etc, so I found that I need to install via git+ssh. So I try this:

"@myOrg/myRepo": "git+ssh://git@github.com:myOrg/myRepo.git#semver:^1.0.0"

This works but it doesn’t install the package - it only installs the git commit. So, I’m trying to determine, is there a way to do an npm install via ssh of a GitHub package, not a commit. Any ideas?

Hi @bdsanfelippo,

I have an example here that demonstrates installing a package from a private repository:

You can see here where I’m doing:

npm install jcansdale/private-npm-package#semver:^1.0.0

…which results in version 1.0.3 being installed:

+ @jcansdale/private-npm-package@1.0.3
added 1 package and audited 1 package in 1.347s
found 0 vulnerabilities

This works but it doesn’t install the package - it only installs the git commit. So, I’m trying to determine, is there a way to do an npm install via ssh of a GitHub package, not a commit. Any ideas?

I’m confused about what you mean by, it installs the git commit but not the package? Is what you’re doing different to my example?

Thanks,
Jamie.

Hi Jamie,

Thanks for your help!

In GitHub Actions, a private repository cannot be installed except via a personal access token or by ssh. I wanted to try the ssh option so I was trying to install via ssh.

However, installing via ssh does not actually install the package instead it installs a commit. I am trying to understand if there is a way to install a package via ssh.

As per the npm documentation for the npm install <git remote url> available from https://docs.npmjs.com/cli/install

<protocol> is one of git , git+ssh , git+http , git+https , or git+file .
If #<commit-ish> is provided, it will be used to clone exactly that commit. If the commit-ish has the format #semver:<semver> , <semver> can be any valid semver range or exact version, and npm will look for any tags or refs matching that range in the remote repository, much as it would for a registry dependency. If neither #<commit-ish> or #semver:<semver> is specified, then the default branch of the repository is used.

So it is doing the correct thing in installing a commit as you say, but should be using the semver as guidance to locate the correct commit-ish object in the repository, with a default branch fallback.

Do you want it to install a packed .tgz file rather than the source from a particular commit?

@jcansdale,

Yes. I want to install the packed .tgz package. I guess I was thinking of that as the “actual npm module”.

The reason why is that I have a typescript library. When the .tgz is packaged, all transpilation occurs. If I do an npm install of a commit, I don’t have the transpilation done and would have to do it in a postinstall script or something like that.

So I guess I’m trying to do a npm install of a .tgz over ssh. Is that possible?

@bdsanfelippo,

So I guess I’m trying to do a npm install of a .tgz over ssh. Is that possible?

I agree this would be nice, but I don’t think it’s possible.

The reason why is that I have a typescript library. When the .tgz is packaged, all transpilation occurs. If I do an npm install of a commit, I don’t have the transpilation done and would have to do it in a postinstall script or something like that.

What you could do is create a GitHub Actions workflow that publishes your package to a Git rather than a package registry.

Here’s a workflow that will create a package and publish it to a branch called package.

name: Publish package to Git

on:
  push:
    branches: [ master ]

jobs:
  publish-to-git:
    name: Publish to Git
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v1
      - name: setup Node
        uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - name: install
        run: npm install
      - name: pack
        run: npm pack
      - name: Publish to Git
        run: |          
          tar -xzvf *.tgz
          cd package
          git init
          git checkout -b package
          git remote add origin https://token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
          git fetch
          git reset origin/package
          git add .
          git config --global user.email "you@example.com"
          git config --global user.name "Package Publisher"
          git commit -m "Built package from ${{ github.sha }}" --allow-empty
          git push --set-upstream origin package

You can then install the package using:

npm install OWNER/REPOSITORY_NAME:package

It would be a idea to also publish package versions to a branch (or tag) with the same name as the version. In fact, you could do this by creating a release from the package branch. That way you could also use the #semver:^1.0.0 form, e.g:

npm install OWNER/REPOSITORY_NAME#semver:^1.0.0

Do you think that would work?