I have published a private package to our org's package repository.
As per the documentation I added an .npmrc file to another project's root with the following content:
In my local ~/.npmrc the sits my Authtoken for npm.pkg.github.com
I installed the published package in my package.json with the following entry in the package.json
When installing locally this works fine.
When installing via Github Actions the installation fails with the following error:
npm ERR! code E404 npm ERR! 404 Not Found - GET https://npm.pkg.github.com/my-org/@my-org%2fmy-package - npm package "my-package" does not exist under owner "my-org" npm ERR! 404 npm ERR! 404 '@firstname.lastname@example.org' is not in the npm registry. npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
It seems like "my-org" is used two times in the path to the package?
Why does it work locally but not in Github Actions?
Originally my .npmrc only was like this (no org added to the registry URL):
Thas *also* workes fine locally.
It also works for all scoped packages (like @coogle-cloud) in the github Action but did *not* work for unscoped packages:
npm ERR! code E404 npm ERR! 404 Not Found - GET https://npm.pkg.github.com/chai npm ERR! 404 npm ERR! 404 'email@example.com' is not in the npm registry. npm ERR! 404 You should bug the author to publish it (or use the name yourself!) npm ERR! 404 npm ERR! 404 Note that you can also install from a npm ERR! 404 tarball, folder, http url, or git url.
Solved! Solved! Go to Solution.
so, I took my personal accesstoken (which worked locally) and commited, now the install workflow suceeds.
The documentation (https://help.github.com/en/github/managing-packages-with-github-packages/using-github-packages-with-...) says: "the GITHUB_TOKEN has read:packages and write:packages scopes."
Isn't that sufficient?
My personal access token has delete:packages, read:packages, repo, write:packages.
buried in some arbitrary twitter thread is the information that the GITHUB_TOKEN only has access to the current repo.
would be nice if this would have been explicitely stated somewhere.