Installing an npm module from a private GitHub repository

I am trying to run a build for a Node.js project using GitHub Actions. As part of the npm install, I need to install an npm module directly from a private GitHub repository ( not from GPR!).

In the package.json I have:

"dependencies": {
  "my-module": "github:<org>/<my-module>#master",

However, when running npm install, I get:

npm ERR! Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.

The repository is part of my own organization, and locally (i.e. from my machine) it works. How can I make this run?

I have already tried setting the NODE_AUTH_TOKEN environment variable, but it didn’t make a difference. Although you find this suggestion quite often, it seems to only address GPR. What I would like to avoid is having to hardcode the token into the package.json file. Any thoughts on this?

1 Like

The command npm install is used to install packages from npm packages registry, not from the repositories where the resources of packages are stored.

And the dependencies property is used to set a list of _ npm packages _ installed as development dependencies, it seems does not support to set a repository as dependency.

If you want to use a module directory from a repository as the dependency of your main project (the Node.js project), you can try to set this module as a submodule of the main project.

More details about Git Submodules, you can reference here:

1 Like

Installing packages from github repositories is allowed, and is mentioned in multiple places in the npm documentation:

npm install github:<githubname>/<githubrepo>[#<commit-ish>]

You are VERY close.  You need just a bit more hackery.

- name: Install NPM
               run: |
                   sed -i 's/ssh:\/\/\/\/${{ secrets.NODE_AUTH_TOKEN }}' package.json
                   cat package.json
                   npm install

You can remove the “cat package.json” after you see it work.


Putting this into your package.json means that anybody with repo access has access to this github auth token, so be careful with the permissions you give to this token.