This issue is still happening regardless whether one uses the GITHUB_TOKEN or the PERSONAL_ACCESS_TOKEN when the repository is Private.

Steps to reproduce.

1. Create a Private repository “packages”.

2. Add a folder for a basic package e.g. framework

3. Publish the package to GPR either using actions or from the terminal. (configure .npmrc) e.g.

package.json

{
  "name": "@YOUR_ORG/framework",
  "version": "1.0.0",
  "description": "framework package",
  "repository": {
    "type": "git",
    "url": "git://github.com/YOUR_ORG/packages.git"
  },
  "publishConfig": {
    "registry":"https://npm.pkg.github.com"
  },
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "dependencies": {
    "lodash": "^4.17.10"
  }
}

.npmrc

//npm.pkg.github.com/:_authToken=PERSONAL_ACCESS_TOKEN

index.json

console.log('framework');

4. Publish to GPR from with the framework folder.

   npm publish

5. The publish will be successful but the package cannot be installed even when the token is used. e.g. a consumer with

.npmrc

//npm.pkg.github.com/:_authToken=PERSONAL_ACCESS_TOKEN
@YOUR_ORG:registry=https://npm.pkg.github.com/

package.json

{
  "name": "consumer",
  "version": "1.0.0",
  "description": "consumer",
  "main": "index.js",
  "license": "MIT",
  "scripts": {
    "start": "node index.js"
  },
  "dependencies": {
    "@YOUR_ORG/framework": "^1.0.0"
  }
}

index.json

console.log('consumer');

6. You will see Errors like below: (YOUR_ORG is your organisation)

   npm ERR! code E404
   npm ERR! 404 Not Found - GET https://npm.pkg.github.com/download/@YOUR_ORG/framework/1.0.0/SOME_HASH
   npm ERR! 404
   npm ERR! 404 ‘@YOUR_ORG/framework@latest’ is not in the npm registry.
   npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
   npm ERR! 404
   npm ERR! 404 Note that you can also install from a
   npm ERR! 404 tarball, folder, http url, or git url.

You will also notice that the link to the Assets download on the packages page is “NOT FOUND when you hover over it”

https://notfound.pkg.github.com/

NOTE: this behaviour might not happen straight away in some cases, the NOT FOUND issue might start happening 30 to 45 minutes after the package has be published.

Your .npmrc is incorrect. It should look like this:

//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_PERSONAL_TOKEN }}

Also you should do this only on the CI, because when someone checkouts the repo, it won’t work obviously. I have a step in the CI for this:

- name: Set up NPM authentication
  run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_PERSONAL_TOKEN }}" >> ~/.npmrc

Did you manage to get this working? I am getting the eact same error?

@krystof-k  The instructions I wrote above are mearnt to be sudo code and just a minimum guide on what someone needs to do to reproduce the issue, there are not mearnt to be a copy paste 100% accurate source code. You will have to properly write the variables and so on, but this not the issue here.

To fully understand the problem, create a sample package that is private roughly as I outlined in the steps with your correct variable configs and you will end up with the issue I reported. It does not matter whether you do it through github actions or from your local. The problem still exists and needs to be addressed otherwise GPR is not useful if people cannot reliably host and consume PRIVATE packages.

Facing the same issue with a private repository, can’t install the package and the assets link to https://notfound.pkg.github.com/. I changed the visibility to public and I was able to install the package. 

@wpitalloI am still having the problem, I contacted github support about it and took a week before some guy got back to me and told me that he escalated the issue and have not heard anything since then so I am just waiting for someone from there to respond either on this thread or in the support ticket.

I just don’t get how something as critical as this issue slipped through their testing and quality assurance. At the very minimum, I would expect that if someone is providing a Package Registry, they ensure that it reliably satisfies both public and private use cases.

Hmm, this is weird. In our repos it works fine (using the PAT). But we’re using Yarn, may that be the reason?

Since this issue evolved from the original question (and solution), see the new dedicated issue to here: https://github.community/t5/GitHub-API-Development-and/Github-package-registry-Private-package-not-found/m-p/40062/

npmrc:
registry=https://registry.npmjs.org/
@myOrganizationName:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=********** (Token generated from github)

This works for me. Thanks.

For everyone getting a 404 response even though everything seems correct: CHECK YOUR REPOSITORY FIELD.

I just spent 2 hours changing every line of my GitHub action and package.json and in the end, there was an outdated value in the repository field in the package.json. In my opinion the 404 error is really really not a helpful error message here.

Its the third quarter of 2121 and this issue still persists. SMH!! Any one of you remember how this was solved? I am having the EXACT same issue

As @ankri said, Make sure you generate a Personal Access Token with the appropriate scopes.

image1114×468 50.3 KB

I checked every box while generating my PAT just to be sure. But still 🙁

This (@joekaiser’s solution) was the solution that worked for me. Checking the workflow box allowed install to proceed. What’s strange is that the permission doesn’t describe the situation it needs to be checked for. Github really needs to expand that.