Installing npm packages from the GitHub package registry

In my action I want to install npm dependencies that are hosted on the GitHub package registry.  There is

Authenticating to GitHub Package Registry. This links to GITHUB_TOKEN secret

Reading this I thought I could do:

- name: npm install
  run: npm install
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

But this does not seem to work.

I came up with this code and it works. But I was wondering if there was another way:

- name: Authenticate with GitHub package registry
  run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
- name: npm install
  run: npm install
9 Likes

You should be able to use your GITHUB_TOKEN with GitHub Package Registry.  The npm application uses the environment variable NODE_AUTH_TOKEN, however.  So you’ll need to set that environment variable to the value of the GITHUB_TOKEN.  For example:

- name: npm publish
  run: npm publish
    env:
      NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3 Likes

Thank you for your answer. It sadly does not work for me

I tried it like this:

- name: npm install
  run: npm install
  env:
     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

and received:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

When indenting env like you did in your example:

- name: npm install
  run: npm install
    env: # line 20
      NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I receive this error:

Invalid workflow file

yaml: line 20: mapping values are not allowed in this context

Or do you mean actions/npm ?

Hi ankri,

Aren’t you confusing _ npm install _ and _ npm publish _ ?

_ npm install _ doesn’t need any tokens to work.

_ npm publish _ uses the environment variable NODE_AUTH_TOKEN.

That said, like I have mentioned in my other thread, I have been unable to get it working with GITHUB_TOKEN. I only got it working with a personal access token.

Sorry, I should have mentioned that I want to download a package from a private github repository. To be able to install from the private repo I need to authenticate first.

1 Like

OK I see. it’s ethomson that talked about npm publish not you…

I’m also interested by the proper way of doing a npm install when you have dependencies that are stored in a private GitHub Package Registry.

For the flow @ethomson mentions you need to setup the .npmrc.  We have a starter workflow that does it for publish but I think the configuration is the same.

https://github.com/actions/starter-workflows/blob/master/ci/npm-publish.yml#L35

publish-gpr:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://npm.pkg.github.com/
          scope: '@your-github-username'
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
2 Likes

Hi @chrispat ,

Unfortunetly, there seems to be a bug with  actions/setup-node that prevents us from performing an npm publish to GPR using GITHUB_TOKEN. It works with a PAT.

Issues #49#52 and #53 relate to this.

Indeed, theoretically, you are suppose to use:

with:
registry-url: https://npm.pkg.github.com/
  scope: '@your-github-username'

and:

env:
  NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Then,  actions/setup-node takes that info to setup .npmrc

Unfortunetly, something is broken.

If you manually edit .npmrc like this…

name: NPM Publish to GitHub Package Registry

on: push

jobs:
  build:

    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - uses: actions/setup-node@v1
      with:
        node-version: 12
    - run: echo "@peterhewat:registry=https://npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
    - run: npm publish

… the Action appears to succeeds as you can see in my example.

Unfortunetly, doing so, for some unknown reason, the package isn’t present in the GPR as you can see here:

https://github.com/PeterHewat/npm-publish-gpr2/packages

(version should be 0.0.3 … 0.0.1 was with a previous run using a PAT…)

1 Like

Not sure I edited my .npmrc correctly. It should have been:

- run: printf "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}\n@peterhewat:registry=https://npm.pkg.github.com/" > ~/.npmrc
- run: npm publish

This gives me the same 500 Internal Server Error as when I use the “official” way mentioned by @chrispat (with: registry-url…).

1 Like
- name: Authenticate with GitHub package registry
  run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
- name: npm install
  run: npm install

This method did not work for me. Did you change something?

Do you have your packages on the same repo?

@peterhewat I think you’re right that you need to use a personal access token if your package is produced in another repo, at least for private repos. But I don’t think you need to modify ~/.npmrc manually. This worked for me (after adding a PAT secret with a read:packages scope):

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1

    - uses: actions/setup-node@v1
      with:
        node-version: 12
        registry-url: https://npm.pkg.github.com/
        scope: '@hashtagchris'

    - run: npm ci
      env:
        NODE_AUTH_TOKEN: ${{secrets.READ_PACKAGES_PAT}}
9 Likes

Hi, we have had the same issues with yarn and npm - We’ve just released a github action that should fix your problems here: https://github.com/onomondo/github-auth-javascript-action

EDIT: Woops, sorry I didn’t see that this was for the GitHub package registry (which we don’t use) - but perhaps the method used in the action might give you some insights? Sorry. I can’t figure out how to delete this message 

I am using the approach which is described as working in the opening post:

- name: Authenticate with GitHub package registry
  run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
- name: npm install
  run: npm install

Unfortunately that does not work using the GITHUB_TOKEN that’s injected.

I tried a couple of things and ended up with using a personal access token instead of secrets.GITHUB_TOKEN

Now the install from Github Packages works, as well as the install of other npm packages.

It appears that the default injected token does not have the sufficient scopes but mine has?

Any help is appreciated, thank you in advance.

1 Like

the GITHUB_TOKEN only access to its own repo, with an added personal access token to the “secrets” of the repo it works.

2 Likes

Thanks for this!

To clarify for future use what worked for me:
I added a personal access token (https://github.com/settings/tokens) that could "read:packages" only.

Copied the token and added as a secret in Travis CI called TRAVIS_GH_NPM_TOKEN

Then in my .travis.yml (the Travis config) I use it like this:

install:
  - npm config set registry https://npm.pkg.github.com/trustcruit
  - echo "//npm.pkg.github.com/:_authToken=${TRAVIS_GH_NPM_TOKEN}" > ~/.npmrc
  - npm install

Hope this helps any future webdev citizens that search for “github package registry private travis CI token”

3 Likes

I was facing the same issue then I followed below steps:

  1. Created a Personal Token from GitHub global settings( https://github.com/settings/tokens)
  2. Make sure this token have user, read and write permission for user and packages.
  3. Then added a new Environment variable ‘MY_CUSTOM_TOKEN’ pasted the generated token as its value.
  4. Reference the steps mentioned here https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets
  5. TL;DR:
    1. Under you repo’s setting (not github global settings)
    Repository settings button
    2. In the left sidebar, click  Secrets.
    3. Type a name for your secret in the “Name” input box.
    4. Type the value for your secret.
    5. Click  Add secret.
  6. Then in the action YML script added a command to remove any existing .npmrc file ‘run: rm .npmrc
  7. Then create a new file with the referenced customer token as _authToken=${{ secrets.MY_CUSTOM_TOKEN }}

Here is the whole code that I was using:

<font color="#999999">steps:
    - uses: actions/checkout@v2
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v1</font><font color="#993300"><strong> - run: rm .npmrc
    - run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.MY_CUSTOM_TOKEN }}" &gt; ~/.npmrc</strong></font><font color="#999999"> - run: npm install
    - run: npm run build --if-present
    - run: npm publish
      env:
        CI: true</font>

This did not had any issue in ‘npm install’ or ‘npm publish’.

The docs should update to clarify this or maybe GH can fix whatever’s broken internally. It’d be nice to NOT have to create a PAT for this.