Publish and Consume private npm packages with GH registry

I am having a problem consuming a private npm package. Let me explain the setup.

S.P.A.

On push to master npm install, build, test, codecov and publish.

Main build

On push to master 

  • npm install which has @company/repo as dependency (npm ERR! 401 Unauthorized - GET https://npm.pkg.github.com/@company/repo

  • npm postinstall copy assets to build folder (this has permission issues)

  • build

  • deploy

  • test

  • package

I can not seem to get npm or yarn install to have a valid session to download the package. 

NOTE: I am able to login and download locally. Does this mean GH Actions must manually login to the registry?

So confused please help.

SPA yml

name: npm build test master
on:
  push:
    branches:
      - master
jobs:
  build:
    runs-on: ubuntu-18.04
    strategy:
      matrix:
        node: ['12']
    name: Node ${{ matrix.node }} sample
    steps:
      - uses: actions/checkout@master
      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node }}
          NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          registry-url: 'https://npm.pkg.github.com'
      - run: npm install -g yarn
      - run: yarn install
      - run: yarn build
      - run: yarn test:ci
      - run: yarn publish

main build 

on:
  pull_request:
    branches:
      - master
name: "Build Test & Codecov"
jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
    matrix:
      node: ['12']
    name: Dependencies / JWT Token
    steps:
    - uses: actions/checkout@master
    - name: Setup node
      uses: actions/setup-node@v1
      with:
        node-version: ${{ matrix.node }}
        NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN }}
        registry-url: 'https://npm.pkg.github.com'
        scope: '@company'
    - run: npm install
        with:
          NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN }}
          registry-url: 'https://npm.pkg.github.com'
          scope: '@company'

Hi @matt-newell,

I’m not sure if you figured it out, but you need a personal access token to consume private npm packages in GH registry. You can read about it here https://github.com/actions/setup-node/issues/49#issuecomment-526203717

2 Likes