3

I have successfully deployed @myorganization/my-super-lib as a GH npm package. Now I would like to use it in an other GH project.

This is a private lib, and a private project (important to remember, as the point is moot with public ones).

Locally, no problem, just add the correct authtoken config with my personal token in my npm config.

Now, when using Github Actions, I am not sure what the elegant solution would be for a token to access the library package. The documentation says to use a personal one, but what if I leave the org? I could also use a dedicated technical account just for that, but that doesn't seem like the "right" solution.

Has anyone got a better idea?

Edit after comments: At first I thought that I could simply use the GITHUB_TOKEN, but it is restricted to access only the current repository, and this is logical from a security perspective after thinking about it.

leonheess
  • 16,068
  • 14
  • 77
  • 112
Romain Prévost
  • 513
  • 2
  • 12
  • Vote on [this proposal](https://meta.stackoverflow.com/questions/354583/disentangle-the-yarn) to ease the tag confusion. – leonheess Feb 10 '20 at 12:36

3 Answers3

3

There is currently no better option than using a personal access token, i.e.:

  • Create a personal read:packages access token from an account that has read access
  • Insert that token as "Secret" to the repository (where you execute the Github Actions)
  • Access the token via in the Secrets in the Github Actions Workflow to authenticate and install the dependency stored in the Github Registry
hb0
  • 3,350
  • 3
  • 30
  • 48
  • I added the answer which the author found himself (see comments) so that it's faster to find. Fingers crossed that there will be a better option soon :-) – hb0 Nov 30 '19 at 20:33
1

to use Github actions to install private github package you need also at

  • actions/setup-node@v1: define the scope of the package registry
  • npm install: use personal access token with read, repo access. This token should be created by any github account that has access to the private github package that you use and stored as secret to the repo that uses that action.

Note: the --ignore-scripts is an optional flag that adds extra protection against malicious scripts that can steal your personal access token

example:

    steps:
      - uses: actions/checkout@v2

      - uses: actions/setup-node@v1
        with:
          node-version: '12.x'
          registry-url: 'https://npm.pkg.github.com'
          scope: '@antecha'

      - run: npm install --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

UPDATE:
example repo: https://github.com/antecha/survey

  • Personal Access token as I mentioned can be created by ANY account that has access to the private registry. For orgs best is to create an admin-profile/account at github with only purpose to manage such tokens or/and org's github authentication to 3rd party apps.
AndreasT
  • 921
  • 6
  • 12
  • You're describing my current situation, not answering the question :) – Romain Prévost Apr 20 '20 at 14:47
  • btw the question-title is a little bit misleading. I found this question while I was looking a way to do what the title says: `Retrieve a Github Registry npm package from a Github Action` and as the existing solutions here didn't work I posted mine. I will leave my answer as it might help people coming here no matter if they want or not to use personal token – AndreasT Apr 21 '20 at 19:50
  • 1
    Well, that is a valid point, removing my downvote. For your problem, you can also look at this https://stackoverflow.com/questions/58522363/installing-private-package-from-github-package-registry-fails-with-not-found-not/58645027#58645027 Since our builds have a lot of chained yarn actions, I use a template .nprmc, an action to replace placeholders with secrets, and then don't have to fill in environment variables for each step. – Romain Prévost Apr 22 '20 at 20:23
0

I personaly use that script (.github/workflows/my-super-workflow-file.yml)

name: CI

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v1
      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: '10.x'
          registry-url: 'https://npm.pkg.github.com'
      - run: npm install --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - run: npm test
onekiloparsec
  • 2,013
  • 21
  • 32
  • 1
    For some reason this produces a 404 error for me when trying to install the private package from GitHub Package Registry. – Charlie Fish Nov 03 '19 at 22:44
  • 4
    Yup, your GITHUB_TOKEN only has access rights to the current repository. I'll update my question with this. – Romain Prévost Nov 04 '19 at 10:12
  • 2
    According to my Twitter thread (https://twitter.com/char_fish/status/1191442780729556993?s=21) with a GitHub product manager, they are aware there should be a better option here. But for now you have to use the standard registry key and follow the steps outline in that documentation to create a key and add it to the repo secrets store. That Twitter thread combined with this answer should help get this working tho. I'll hopefully get around to testing it soon. – Charlie Fish Nov 04 '19 at 19:53
  • Thanks, I'll follow the secret keys tutorial then. – onekiloparsec Nov 05 '19 at 13:17
  • 2
    Can't make it work. I created a packages:read secret token, added it to secrets, but then `npm ci` fails on accessing a package I don't even own: `npm ERR! 401 Unauthorized - GET https://npm.pkg.github.com/onekiloparsec/babel-helper-vue-jsx-merge-props - could not retrieve user by token` – onekiloparsec Nov 06 '19 at 12:30
  • @CharlieFish Thanks a lot, I know it is a work in progress then :) – Romain Prévost Nov 07 '19 at 13:44