Npm publish - secrets.GITHUB_TOKEN not used because .npmrc exists

I have the following workflow to create and publish a npm package to github packages. It was copied verbatim from another repository where it works without issue. However for this repo it says that the token (the built in GITHUB_TOKEN) is missing scopes.

# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see:

name: Publish

    - master

    runs-on: ubuntu-latest
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v1
          node-version: 12
          scope: '@pageuppeopleorg'
      - run: npm i
      - run: npm run create
      - name: Bump version and push tag
        id: tag
        uses: anothrNick/github-tag-action@1.17.2
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          WITH_V: true
          RELEASE_BRANCHES: master
          DEFAULT_BUMP: patch
      - name: version
        run: npm --no-git-tag-version --allow-same-version version ${{ steps.tag.outputs.tag }}
      - name: publish
        run: npm publish
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Result of the publish step:

npm notice 
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT - Your token has not been granted the required scopes to execute this query. The 'createPackageVersion' field requires one of the following scopes: ['write:packages'], but your token has only been granted the: ['read:packages', 'repo'] scopes. Please modify your token's scopes at:

As far as I am aware, the secrets.GITHUB_TOKEN should have packages:write. So I have no idea what i going on here. Anyone seen something similar?

UPDATE: Turns out the issue is that i had a .npmrc file checked in. The file has a token that granted read package access to github packages.

Checking this file in was intentional and a pattern we use in our private repositories. So I will change the question to: How do I get npm to use the secrets.GITHUB_TOKEN when a .npmrc file already exists?


At first, you need to understand the restrictions of the GITHUB_TOKEN:

The permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

This means the scope of the GITHUB_TOKEN is only inside of the repository where the current workflow is running. If the scope you require is beyond the current repository, you need to create a personal access token to obtain more scopes.
You can reference the docs about Authenticating with the GITHUB_TOKEN to view more details.

If you have configured a .npmrc file for your npm package and want to use the GITHUB_TOKEN in the .npmrc file, you need to do the steps below:

  1. In the workflow file,
  • when setup node, do not set registry-url on the setup-node action.
  • set secrets.GITHUB_TOKEN as an environment variable in the workflow.
- name: setup node
  uses: actions/setup-node@v1
    node-version: 12

. . .

- name: publish
  run: npm publish
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  1. In the .npmrc file use the variable name you set in the workflow file to access the environment variable for the GITHUB_TOKEN.

The following is a simple example as reference.:

Hi @brightran,
Thanks for the reply :slight_smile: The .npmrc file has a different token in it, more restrictive than the GITHUB_TOKEN. I want to leave that there, but for the the github action workflow (specifically the publish step) I want to override the usage of that token with the GITHUB_TOKEN instead.


You can try to use the sed command to replace the token with the GITHUB_TOKEN in the .npmrc file, before executing the publish step. Here you also may need using regular expression in the sed command.
A simple example as reference:

- name: replace token
  run: echo "$(sed 's/\(_authToken=\)[a-z0-9]*\($\)/\1${{ env.GITHUB_TOKEN }}\2/g' .npmrc)" > .npmrc