UPDATE: Turns out the issue is that i had a .npmrc file checked in. The file has a token that granted read package access to github packages.

Checking this file in was intentional and a pattern we use in our private repositories. So I will change the question to: How do I get npm to use the secrets.GITHUB_TOKEN when a .npmrc file already exists?

@elexisvenator,

At first, you need to understand the restrictions of the GITHUB_TOKEN:

The permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

This means the scope of the GITHUB_TOKEN is only inside of the repository where the current workflow is running. If the scope you require is beyond the current repository, you need to create a personal access token to obtain more scopes.
You can reference the docs about Authenticating with the GITHUB_TOKEN to view more details.

If you have configured a .npmrc file for your npm package and want to use the GITHUB_TOKEN in the .npmrc file, you need to do the steps below:

1. In the workflow file,

• when setup node, do not set registry-url on the setup-node action.
• set secrets.GITHUB_TOKEN as an environment variable in the workflow.

- name: setup node
  uses: actions/setup-node@v1
  with:
    node-version: 12
. . .

name: publish

run: npm publish

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2. In the .npmrc file use the variable name you set in the workflow file to access the environment variable for the GITHUB_TOKEN.

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

The following is a simple example as reference.:

TestGitHubPackagesRML/TestNpm/blob/080990526adbb61b0365e4b207d972de7d46dc77/.npmrc

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
registry=https://npm.pkg.github.com/testgithubpackagesrml

TestGitHubPackagesRML/TestNpm/blob/080990526adbb61b0365e4b207d972de7d46dc77/.github/workflows/CI.yml

# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
name: CI
on: push
env:

MAIN_VER: 1
jobs:

publish_gpr:

name: Publish to GitHub Packages Registry

runs-on: ubuntu-latest

steps:

- name: Checkout code

uses: actions/checkout@v2
  - name: Setup node
    uses: actions/setup-node@v1

This file has been truncated. show original

Hi @brightran,
Thanks for the reply :slight_smile: The .npmrc file has a different token in it, more restrictive than the GITHUB_TOKEN. I want to leave that there, but for the the github action workflow (specifically the publish step) I want to override the usage of that token with the GITHUB_TOKEN instead.

Thanks @brightran, the sed command worked for me 😃

Using just wrap a npm preinstall step to echo //npm.pkg.github.com/:_authToken=$GITHUB_TOKEN >> .npmrc