I have the following workflow:

jobs:
  pr-gate-checks:
    runs-on: ubuntu-latest
    env:
      NODE_ENV: development
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '12.x'
          registry-url: 'https://npm.pkg.github.com'
          scope: '@mycompany'
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GIT_PACKAGE_TOKEN }}
      - name: Install dependencies
        uses: bahmutov/npm-install@v1
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GIT_PACKAGE_TOKEN }}

In my repo, in addition to numerous third-party dependencies, I have three private packages that are hosted in my organization’s GitHub Package Registry and are scoped with @mycompany.

The GIT_PACKAGE_TOKEN secret is an organization secret that provides the ability to read/write to GPR.

When the “Install dependencies” step runs, it errors with the following message:

npm ERR! code E404

31npm ERR! 404 Not Found - GET https://npm.pkg.github.com/download/@mycompany/my-problem-package/1.40.0/6e67644ba0e50193365c32bc60e5d8a0f207968d26f9d88e92a932aa9a8519f1

32npm ERR! 404

33npm ERR! 404 ‘@mycompany/my-problem-package@1.40.0’ is not in the npm registry.

34npm ERR! 404 You should bug the author to publish it (or use the name yourself!)

20npm ERR! 404

21npm ERR! 404 Note that you can also install from a

22npm ERR! 404 tarball, folder, http url, or git url.

I’ve confirmed GPR has the version of the dependency that I’m trying to install.

I also removed that dependency from my package.json and when I do that, the “Install dependencies” step is successful.

What’s interesting is that I temporarily created a Personal Access Token (PAT) and when I attempted to use that as the NODE_AUTH_TOKEN on a step that just runs npm install @mycompany/my-problem-package, it worked.

So it seems like there is a problem using the GIT_PACKAGE_TOKEN only on the one package. Why?