0

I have a private repo that, using Github Actions workflow, I have published as a private npm package on Github Package Registry. I want to consume this package in the scope of another private project of mine. But there is an issue. Upon importing the GPR hosted package as a dependency I get a 'module not found' error.

  1. Github Actions workflow successfully publishes private npm package to GPR.
  2. The published package appears under 'Package' tab at Github user landing.
  3. GPR_ACCESS_TOKEN is a PAT (ensuring that I can consume the package).

IMAGE: the error in question

.npmrc file at root of project consuming private package

@slackermorris:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=XXXX-XXXX-XXXX-XXXX

Github Action responsible for republishing private npm package to Github Registry.

name: Node.js Package

on:

  push:

    branches:

      - master

  release:

    types: [created]

jobs:

  build:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2

      - uses: actions/setup-node@v1

        with:

          node-version: 12

      - run: npm ci

      - run: npm test

        env:

          CI: true

  publish-gpr:

    needs: build

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2

      - uses: actions/setup-node@v1

        with:

          node-version: 12

          registry-url: https://npm.pkg.github.com

          scope: slackermorris

      - run: npm ci

      - run: npm publish

        env:

          NODE_AUTH_TOKEN: ${{secrets.GPR_ACCESS_TOKEN}}

package.json of the published npm package.

"name": "@slackermorris/bostock-metaball-animation",

  "version": "1.0.3",

  "main": "index.js",

  "author": "slackermorris",

  "license": "MIT",

  "publishConfig": {

    "registry": "https://npm.pkg.github.com"

  } ...
slackermorris
  • 368
  • 3
  • 11

1 Answers1

0

What you are trying should work, but I can confirm it does not. Better than putting your token in .npmrc is storing your Personal Access Token in a repo secret that is exported by the workflow. IE, create a repo secret named GPR_AUTH_TOKEN with the contents of your PAT. Then add this to your workflow:

env:
  GPR_AUTH_TOKEN: ${{ secrets.GPR_AUTH_TOKEN }}

Then have your .npmrc load the token via the env variable:

//npm.pkg.github.com/:_authToken=${GPR_AUTH_TOKEN}

That avoids exposing your PAT to everyone with repo access.

That solution works for me on node.js v16 but it doesn't work with node 14.

What works for every LTS version of Node.js is to configure .npmrc with this npm step in your workflow:

  - name: Configure NPM
    run: npm config set '//npm.pkg.github.com/:_authToken' "${{secrets.GPR_AUTH_TOKEN}}"

After that, the npm install works as expected.

Matt Simerson
  • 1,001
  • 1
  • 10
  • 22