Npm install fails with package.json containing a private repository url with git+https

I followed this guide:

and created a personal access token for my account:

this is what I have in my package.json in another project:

    "my-private-repo": "git+https://<my-personal-access-token>:x-oauth-basic@github.com/my-org/my-private-repo.git",

Two strange things are happening during npm install in my workflow:

  1. I receive a bunch of these npm WARN tar ENOENT: no such file or directory messages, I don’t know if they are related to the problem in 2.)

  2. installation fails with Permission denied

Here’s my workflow file (I added persis-credentials: false after reading Cannot install npm module from a github private repository):

name: Build
# This workflow is triggered on pushes to the repository.
on: [push]

jobs:
  build:

    services:
      mongodb:
        image: mongo:4.2
        ports:
          - 27017:27017

    runs-on: self-hosted
    container: my-org/my-org-base
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Use Node.js
        uses: actions/setup-node@v1
        with:
          node-version: '8.17.0'

      - name: Install
        run: npm install

      - name: Bundle
        run: npm run build

      - name: Run unit tests
        env:
          MONGOLAB_URI: mongodb
        run: |
          ./version.sh
          npm run test-unit

      - name: Run client tests
        run: npm run test-client

      - name: Run integration tests
        env:
          MONGOLAB_URI: "mongodb://mongodb"
        run: npm run test-integration

Let me help you troubleshoot this issue.

  1. Please run
git config --local -l

and check the authorization token in http.https://github.com/.extraheader=AUTHORIZATION: basic .

  1. Could you please run npm install command directly in a run script? You could store your PAT in secrets.
 - name : install private github repo
   run: |
       npm install git+https://$ANOTHER_TOKEN:x-oauth-basic@github.com/my-org/my-private-repo.git
   env: 
       ANOTHER_TOKEN: ${{ secrets.YourPAT }}
  1. Please try to run your job on ubuntu-latest runner , will npm install step succeed?
4 Likes

and check the authorization token in http.https://github.com/.extraheader=AUTHORIZATION: basic .

Because this is happening on a self-hosted runner I assume I should have this configuration on the machine that hosts the actions-runner. Is that correct?

I suspect it is the credential stored for your git client (on your self-hosted runner machine) caused Permission denied issue when try to install your private repo.
The actions/checkout@v2 will persist the auth in a git extraheader config in default. If you set persis-credentials: false , there will no extraheader in git config .
So I want you to run git config --local -l to see whether there is the local git config of extraheader. You need to change working directory to the work folder of the self-hosted runner .

If there is no extraheader in your git config, could you please run
npm install git+https://:x-oauth-basic@github.com/my-org/my-private-repo.git in your local machine under the work folder of your runner? What’s the result?

Surprisingly, this worked:

Could you please run npm install command directly in a run script? You could store your PAT in secrets.

Here’s the output from the build step:

After this, I didn’t try npm install git+https://:x-oauth-basic@github.com/my-org/my-private-repo.git in my local machine under the work folder of the runner. After the above output, I expect it to be successful.

Here’s the output of git config --local -l from the action-runner/_work/my-project/my-project folder:

$ git config --local -l
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.com/akoskm/my-project
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
gc.auto=0
branch.develop.remote=origin
branch.develop.merge=refs/heads/develop
1 Like