Installing private Github Package using yarn on Github Actions is Unauthorized with yarn.lock

Asked 15/5, 2020 at 10:24 Answered 11/5, 2021 at 0:38

Solved yarnpkg github-actions github-package-registry

There are a lot of similar issues already floating around:

Install private github package from package.json on Github Actions
Download private module from Github Package Registry via Yarn within a Github Action? Publishing works, but installing is met with '401 Unauthorized'
Installing private package from Github Package registry using Yarn fails with not authorized

However, our issue seems different, because:

yarn install runs fine on a local machine
the issue is only when using Github Actions
yarn install succeeds on GH Actions if we delete yarn.lock

Has anyone run into this before? Specifically with it not working with a yarn.lock file?

In case it matters, here's the setup:

build.yml:

    steps:
    - uses: actions/checkout@v2
    - uses: actions/setup-node@v1
      with:
        node-version: '10.x'
        registry-url: 'https://npm.pkg.github.com'
    - name: Install
      run: yarn install
      env:
        # GITHUB_TOKEN can't access packages hosted in private repos,
        # even within the same organisation
        NODE_AUTH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
    - name: Build
      run: yarn build
    - name: Test
      run: yarn test --forbid-only

We also have a .npmrc file for local installs:

@<org>:registry=https://npm.pkg.github.com

But no .yarnrc file.

Photocopier answered 15/5, 2020 at 10:24 Comment(3)

What's the error message you get? – Jarid 16/5, 2020 at 20:42

I have never had to run yarn install. When I use yarn on github actions, I run yarn --frozen-lockfile to do the install and force yarn to use the yarn.lock without checking for updates or anything. See this answer also – Jarid 16/5, 2020 at 20:45

We're just told that the request is unauthorized:

yarn install v1.22.4 [1/4] Resolving packages... [2/4] Fetching packages... error An unexpected error occurred: "https://npm.pkg.github.com/download/<scope>/<package>/<version>/<hash>: Request failed \"401 Unauthorized\"".

– Photocopier 18/5, 2020 at 7:25

We managed to solve this by explicitly duplicating the .npmrc config in the build.yml config:

      - uses: actions/setup-node@v1
        with:
          node-version: '10.x'
          registry-url: 'https://npm.pkg.github.com'
          # These following two lines are the key:
          always-auth: true
          scope: '@reedsy'

Photocopier answered 23/9, 2020 at 12:56 Comment(0)

I'm create a file .npmrc and .yarnrc. Type:

name: Test

on: push
jobs:
  test:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [12.x]

    steps:
      - uses: actions/checkout@v2
      - name: Node ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - name: Create NPMRC
        run: |
            echo "//npm.pkg.github.com/:_authToken=${{ secrets.PACKAGES_TOKEN }}" >> ~/.npmrc
            echo "@you-scope:registry=https://npm.pkg.github.com" >> ~/.npmrc
            echo 'registry "https://registry.yarnpkg.com"' >> ~/.yarnrc
      - run: yarn install

Replace @you-scope for you user of github or of your org in github in LowerCase.

Create a PACKAGES_TOKEN secrete token of your github access for this repository.

Impale answered 11/5, 2021 at 0:38 Comment(2)

Your note about requiring a PACKAGES_TOKEN proved helpful. I kept trying the GITHUB_TOKEN in the actions but that was leading to a 404 Not Found. I'm guessing the GITHUB_TOKEN in actions is only valid for the current repository and not for installing other packages, even if in the same organization. Thanks! – Oliviero 27/1, 2022 at 12:24

This worked for me. I was missing the step of creating NPMRC – Mungovan 12/4, 2022 at 3:58

Recommended topics

Hot tags