Npm install fails with package.json containing a private repository url with git+https

I followed this guide:

and created a personal access token for my account:

this is what I have in my package.json in another project:

    "my-private-repo": "git+https://<my-personal-access-token>",

Two strange things are happening during npm install in my workflow:

  1. I receive a bunch of these npm WARN tar ENOENT: no such file or directory messages, I don’t know if they are related to the problem in 2.)

  2. installation fails with Permission denied

Here’s my workflow file (I added persis-credentials: false after reading Cannot install npm module from a github private repository):

name: Build
# This workflow is triggered on pushes to the repository.
on: [push]


        image: mongo:4.2
          - 27017:27017

    runs-on: self-hosted
    container: my-org/my-org-base
      - name: Checkout
        uses: actions/checkout@v2
          persist-credentials: false

      - name: Use Node.js
        uses: actions/setup-node@v1
          node-version: '8.17.0'

      - name: Install
        run: npm install

      - name: Bundle
        run: npm run build

      - name: Run unit tests
          MONGOLAB_URI: mongodb
        run: |
          npm run test-unit

      - name: Run client tests
        run: npm run test-client

      - name: Run integration tests
          MONGOLAB_URI: "mongodb://mongodb"
        run: npm run test-integration

Let me help you troubleshoot this issue.

  1. Please run
git config --local -l

and check the authorization token in http. basic .

  1. Could you please run npm install command directly in a run script? You could store your PAT in secrets.
 - name : install private github repo
   run: |
       npm install git+https://$
       ANOTHER_TOKEN: ${{ secrets.YourPAT }}
  1. Please try to run your job on ubuntu-latest runner , will npm install step succeed?

and check the authorization token in http. basic .

Because this is happening on a self-hosted runner I assume I should have this configuration on the machine that hosts the actions-runner. Is that correct?

I suspect it is the credential stored for your git client (on your self-hosted runner machine) caused Permission denied issue when try to install your private repo.
The actions/checkout@v2 will persist the auth in a git extraheader config in default. If you set persis-credentials: false , there will no extraheader in git config .
So I want you to run git config --local -l to see whether there is the local git config of extraheader. You need to change working directory to the work folder of the self-hosted runner .

If there is no extraheader in your git config, could you please run
npm install git+ in your local machine under the work folder of your runner? What’s the result?

Surprisingly, this worked:

Could you please run npm install command directly in a run script? You could store your PAT in secrets.

Here’s the output from the build step:

After this, I didn’t try npm install git+ in my local machine under the work folder of the runner. After the above output, I expect it to be successful.

Here’s the output of git config --local -l from the action-runner/_work/my-project/my-project folder:

$ git config --local -l
1 Like