Installing private npm packages from GitHub Package Registry

The repo has a .npmrc file with registry=https://npm.pkg.github.com/ownername so that it can npm install private GitHub Package Registry from the same ownername. It works locally as ~/.npmrc has an access token setup.

The action I have for running tests:

name: Node CI

on:
  pull_request:
    branches:
      - master
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [13.x]

    steps:
      - uses: actions/checkout@v1
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
          registry-url: https://npm.pkg.github.com/
          scope: '@ownername'
      - name: npm install, build, and test
        run: |
          npm ci
          npm run build --if-present
          npm run validate
        env:
          CI: true
          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Gives the error:

npm ERR! 404 Not Found - GET https://npm.pkg.github.com/download/@ownername/[...]

What am I doing wrong here? I added the registry-url/scope and NODE_AUTH_TOKEN because it was having authentication issues accessing the private GPRs in the same ownername. I would have thought this would have been far more intuitive considering a lot of users will be wanting to create private GPRs and they can’t even run CI Actions with GPR because they’re private?

3 Likes

The workaround I’m using still doesn’t seem correct, anyway what I have done is instead of:

NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

I am now using:

NODE_AUTH_TOKEN: ${{ secrets.GPR_ACCESS_TOKEN }}

What I did was create a secret in the repo named “GPR_ACCESS_TOKEN” and it’s value is an access token I’ve created on my GitHub Account with the permission of: read:packages - That’s the only permission required to get it to work. Not sure why GITHUB_TOKEN doesn’t work since I’m pretty sure I read it has at least that privilege?

2 Likes

Hi rynz,

GITHUB_TOKEN’s permissions are limited to the repository that contains your workflow.

Please refer to this document:
https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#about-the-github_token-secret

If your packages are in the different repo from the current repo which contains your workflow, you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

3 Likes

I’ve spent quite some time trying to install a package and finally figured the token doesn’t have access to the package in the same organisation. Packages are even displayed as “top level” entity in the org, and isn’t that the whole point to build and install private packages from other repos in the same org? The GITHUB_TOKEN should have access to that. Personal access tokens can’t be scoped to an organisation, that means my PAT can be used to access all packages across all my organisations.

Hi PatrickHeneise, 

For now, GITHUB_TOKEN doesn’t have permission to access to a private package out of the current repo. 

You could share your idea in the Feedback form for GitHub Actions. Thank you for your understanding.

3 Likes

Is there any progress?

The GITHUB_TOKEN should have access to that. Personal access tokens can’t be scoped to an organisation, that means my PAT can be used to access all packages across all my organisations.

This point is very important for us, if sharing partial different projects or packages to our partners.

Packages are even displayed as “top level” entity in the org, and isn’t that the whole point to build and install private packages from other repos in the same org?

So we really want this feature. Otherwise we must create accounts only for customer projects’ CI every time each time our new parters increased only to access our private repositories.

2 Likes