Github Actions with private package (Github Package Registry or NPM)

I’m just leaving this here for self help in the future and maybe help others, I could be wrong as I’m new to Github Actions at this time.

I have an Angular project that uses a private package I publish to Github Package Registry. I wanted to setup Github Actions to run the build and report on any errors on PRs (Continuous Integration).

At the time of writing this my project had to be on:

Angular CLI: 7.0.7
Node: 10.17.0
OS: darwin x64
Angular: 7.2.16

Some of the errors I ran into

Hopefully this helps some people end up here who are running into the same issue.

Process completed with exit code 1.

This was the error on npm i within Github Actions.

npm ERR! 401 Unauthorized - GET - Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.


GITHUB_TOKEN restricted permissions

GITHUB_TOKEN is available within your workflow and requires no work to add the secret manually.

Used like:

${{ secrets.GITHUB_TOKEN }}

However the token’s permissions are limited to the repo that contains the workflow therefore is fine for publishing but doesn’t work for installing private repos even within the same organisation.

This does not work although on Github Actions Docs

    - uses: actions/checkout@v2
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v1
        always-auth: true
        node-version: ${{ matrix.node-version }} 
        registry-url: ''
        scope: '@whitehatgaming'
    - run: npm i -g @angular/cli
    - name: Install dependencies
      run: npm i
    - run: ng build --prod

This works

Use private packages:

steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v1 with: node-version: '10.x' registry-url: '' # Skip post-install scripts here, as a malicious # script could steal NODE_AUTH_TOKEN. - run: npm install --ignore-scripts env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # `npm rebuild` will run all those post-install scripts for us. - run: npm rebuild && npm run prepare --if-present

The difference is using the

  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

part when needed… The npm install requires the permissions due to installing the private package, this is solved locally by authenticating with a Personal Access Token in ~/.npmrc


Kinda related: