Download private module from Github Package Registry via Yarn within a Github Action? Publishing works, but installing is met with '401 Unauthorized'

Asked 21/11, 2019 at 12:33 Answered 21/5, 2021 at 19:39

Solved github yarnpkg github-actions github-package-registry github-ci

For various reasons we are stuck using yarn managing our packages so we can't rely on a package-lock.json to use npm with github actions.

We cannot get Yarn to authenticate as part of a github action. We've got our repo npmrc configured as:

@COMPANY:registry=https://npm.pkg.github.com
registry=https://registry.npmjs.org/

And we're using this action for yarn.

Here's a basic setup where we're just trying to install the modules -- nothing more.

name: CI
on: [push]
jobs:
  build:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: borales/[email protected]
        with:
          auth-token: ${{ secrets.GITHUB_TOKEN }}
          registry-url: "https://npm.pkg.github.com"
          scope: tlabs
          cmd: version
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_REGISTRY_URL: https://npm.pkg.github.com
      - name: Create NPMRC
        run: |
          echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
      - name: Install
        run: |
           yarn install --verbose

By default, this action will try to run install so to bypass that I provided a basic command there 'version' so it just displays the yarn version and nothing more.

Running yarn install will work for all other packages but when it gets to our private modules, it will try to get them from the right registry (github) but will be hit with a 401.

Full error:

verbose 7.614802156 Error: https://npm.pkg.github.com/download/@tlabs/utils/1.0.1/afe9eaa6f9565f95c31563cbecfe617d7970f44077302cbe9ca8ee3223550469: Request failed "401 Unauthorized"
    at ResponseError.ExtendableBuiltin (/usr/share/yarn/lib/cli.js:696:66)
    at new ResponseError (/usr/share/yarn/lib/cli.js:802:124)
    at Request.<anonymous> (/usr/share/yarn/lib/cli.js:66996:16)
    at Request.emit (events.js:210:5)
    at Request.module.exports.Request.onRequestResponse (/usr/share/yarn/lib/cli.js:141441:10)
    at ClientRequest.emit (events.js:210:5)
    at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:583:27)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:115:17)
    at TLSSocket.socketOnData (_http_client.js:456:22)
    at TLSSocket.emit (events.js:210:5)
error An unexpected error occurred: "https://npm.pkg.github.com/download/@tlabs/utils/1.0.1/afe9eaa6f9565f95c31563cbecfe617d7970f44077302cbe9ca8ee3223550469: Request failed \"401 Unauthorized\"".

Edge answered 21/11, 2019 at 12:33 Comment(4)

The default GITHUB_TOKEN is only scoped for the current repository. Have you tried using a read:packages and repo scoped Personal Access Token instead of GITHUB_TOKEN? – Katakana 21/11, 2019 at 13:15

Ah. Is there a way to change that or am I just stuck with using a PAT for all of my actions? – Edge 21/11, 2019 at 14:3

@Katakana aaah, it works with the PAT -- I guess I'll just be happy that it does and move on. If you post it as an answer I'll mark it as the solution. – Edge 21/11, 2019 at 14:8

There is no alternative as far as I know. It's a deliberate limitation of GITHUB_TOKEN that it's only scoped to the current repository. – Katakana 21/11, 2019 at 14:30

The default GITHUB_TOKEN is only scoped for the current repository. You cannot use it to access packages in another repository. Use a read:packages and repo scoped Personal Access Token instead of GITHUB_TOKEN.

Katakana answered 21/11, 2019 at 14:28 Comment(2)

I'm using my PAT with the mentioned permissions only but still getting the 401 error in GitHub actions. – Eudoxia 17/3, 2020 at 14:43

Also using my PAT and still getting 401 errors in Github actions. Created a new more in-depth issue here: #64125331 – Cathcart 29/9, 2020 at 18:30

I'm create a file .npmrc and .yarnrc. Type:

name: Test

on: push
jobs:
  test:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [12.x]

    steps:
      - uses: actions/checkout@v2
      - name: Node ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - name: Create NPMRC
        run: |
            echo "//npm.pkg.github.com/:_authToken=${{ secrets.PACKAGES_TOKEN }}" >> ~/.npmrc
            echo "@you-scope:registry=https://npm.pkg.github.com" >> ~/.npmrc
            echo 'registry "https://registry.yarnpkg.com"' >> ~/.yarnrc
      - run: yarn install

Replace @you-scope for you user of github or of your org in github in LowerCase. Create a PACKAGES_TOKEN screte for this repository.

Taratarabar answered 11/5, 2021 at 0:33 Comment(0)

Have a .npmrc file in root of your project.

Content of .npmrc:

registry=https://registry.npmjs.org/
@{scope}:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=********** (Token generated from github)

@{scope} is your organization-name or your username. It is case-sensitive. Also, to access both private and public packages in github registry, you need to have a token.

Reference: You need an access token to publish, install, and delete packages.

Breastfeed answered 21/5, 2021 at 19:39 Comment(0)

Recommended topics

Hot tags