Installing packages from github npm registry - auth error 401

Question

I have just published a private package on GitHub, trying to figure out how it should be working. now I'm trying to install it in another project. I authenticated with npm login --registry=https://npm.pkg.github.com with an access token that has write:packages, read:packages and repo privileges. While trying to run npm install https://npm.pkg.github.com/@orgname/package-name I get an error message:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

How can I add/get this privilege?

This question https://stackoverflow.com/questions/53099434/using-auth-tokens-in-npmrc helped me with the subject, but note that unlike the answer said, I had to add `${...}` around the environment variable to make it work. — Sigma Octantis, Jun 10 '21 at 06:44

score 104 · Answer 1 · edited Sep 23 '22 at 01:30

104

You need to generate a personal access token on Github and add it to your npm config in addition to setting the registry in the npm config:

In Github navigate to https://github.com/settings/tokens (Settings > Developer settings > Personal access tokens) and you should see something like this:

Click Generate new token
From the permissions select at least read:packages

Click Generate token and copy the token

Add the following to your local .npmrc:

@${OWNER}:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${TOKEN}

See the relevant Github Packages documentation

Related: For Github Actions, be aware of the difference between the GITHUB_TOKEN and a personal access token. The Github Token's permissions are limited to the repository that contains your workflow. For anything else (including granular permissions beyond those allowed for the Github Token) you need a personal access token.

edited Sep 23 '22 at 01:30

Community

1
1

answered Aug 04 '20 at 09:30

br3w5

4,403
5
33
42

5

You own the green checkmark! I failed to notice those 2 lines were not talking about the same thing. I ended up with `@{{OWNER}}:registry=https://npm.pkg.github.com/:_authToken={{TOKEN}}` which was, of course, not working. Many thanks – maganap Sep 05 '20 at 17:32
3

Adding `registry=https://npm.pkg.github.com/OWNER` was not enough. This answer helped. – Nikasv Oct 05 '20 at 10:01
1

The username seems to be case sensitive as well. Keep that in mind. – Lemon Nov 24 '20 at 12:20
How about proxy? this configuration cannot bypass the company proxy. I still add it manually to project and looking for configuration now. – Hoang Subin Nov 29 '20 at 07:46
Is it good idea to commit tokens in repo. i'm pretty new to github actions, should I add those literally in my local .npmrc and they will be supplied behind the scenes in github workflow? Are {{OWNER}} and {{TOKEN}} built-in environment variables? – The.Wolfgang.Grimmer Dec 17 '20 at 03:05
OWNER is a built in one but TOKEN can be added as a repository secret (look in repo settings) and needs to be injected somehow see https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets – br3w5 Dec 18 '20 at 13:47
1

It should be noted that environment variable expansion is the `.npmrc` file is done though the `${}` tokens (Ex: `what=ever/${GITHUB_TOKEN}`). I mention this because at first I thought that was done though double braces like shown above (using `{{...}}`) and this led me to confusion. – Sigma Octantis Jun 10 '21 at 06:30
I was really hoping there would be a way to set the authToken in the yaml actions file. – Shiraz Dec 16 '22 at 18:32
I can only get this to work if I replace ${TOKEN} in the .npmrc file with the value of my PAT, which seems really insecure. I've tried to set TOKEN with the value of my PAT but the expected substitution is not happening and I get a E401 error – Shiraz Dec 16 '22 at 23:32

score 27 · Accepted Answer · edited Jun 20 '20 at 09:12

27

Apparently I'm an idiot who can't read documentation and missed that part:

In the same directory as your package.json file, create or edit an .npmrc file to include a line specifying GitHub Packages URL and the account owner. Replace OWNER with the name of the user or organization account that owns the repository containing your project.

registry=https://npm.pkg.github.com/OWNER

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 19 '19 at 10:05

Michał Sadowski

1,946
1
11
24

12

I made this too but it is not enough. I can't find the way to solve this yet. – Yasin Okumuş Jun 19 '20 at 21:02
4

I Had an issue with npm > 7 where I had to change this line to use the exact scope: `@scope:registry=https://npm.pkg.github.com` – dimisus Jan 25 '21 at 13:45
@o0'. both things can be true at the same time! – Michał Sadowski Aug 20 '21 at 13:51
The realm message is about authentication. Try in another environment where `@OWNER:registry=https://npm.pkg.github.com` is set in an `.npmrc` file but there is no authentication. – Craig Hicks Nov 25 '21 at 19:32

score 5 · Answer 3 · answered Mar 30 '21 at 18:42

One other thing to check (this took me a while to realize):

I was getting the specified error:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

Even though I thought I was correctly supplying a GITHUB TOKEN with the needed permissions.

I had set my github action to set the NODE_AUTH_TOKEN from the organization secret named GPR_PRIVATE_READ_TOKEN, which was working in another repo.

Turns out the issue was that the secret was defined to only be available to private repositories and I was trying to use it in a public repository. When I made the secret available to public repositories everything worked.

My workflow job looked like this (I'm showing all steps up to the install step in case it's helpful to someone to see):

jobs:
  ci:
    name: Run Tests
    steps:
      - name: Use Node.js 12.x
        uses: actions/setup-node@v1
        with:
          node-version: 12.x
          registry-url: https://npm.pkg.github.com/

      - uses: actions/checkout@v2

      - name: Install dependencies based on package-lock.json
        run: npm ci
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GPR_PRIVATE_READ_TOKEN }}

score 1 · Answer 4 · answered Feb 07 '21 at 12:28

1

If your problem still persist, please be sure that your package name is in correct format.

answered Feb 07 '21 at 12:28

tekin aydogdu

36
1
4

score 0 · Answer 5 · answered Mar 08 '22 at 05:48

0

The above answer was the solution for me. The updated version is documented as. Additionally, I had to ensure my PAT (personal access token) was authorized to access my organization repository.

answered Mar 08 '22 at 05:48

jpt

21
5

score 0 · Answer 6 · answered Dec 16 '22 at 23:56

I was struggling to figure out why the .npmrc file would only work if I placed my PAT in plaintext in the file, which just seemed daft! The fix is to set the "TOKEN" environment variable as part of your workflow file. I have:

      - run: npm install
        env:
          TOKEN: ${{ secrets.TOKEN }}

The secrets.TOKEN above refers to a Repository secret that I created for the repository that needs to access github packages: (Repository > Settings > Security > Secrets > Actions)

And the value of this secret was copied from a Personal Access Token I created for myself that only has read:packages scope: (User settings > Developer settings > Personal Access Tokens > Tokens (classic))

It's also reassuring to see that it detects the usage of this token!

Finally, my .npmrc file contains:

@shiraze:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${TOKEN}

I'm using my own username rather than the organisation name as that works for me. I think I could use the organisation name when I upgrade to Github Enterprise.

Installing packages from github npm registry - auth error 401

6 Answers6

Linked