1

I am trying to not use my PAT stored in the .npmrc file that is checked into the root of my repository. Right now, I have a GitHub Actions workflow setup that publishes a package to our GitHub package registry. Everything works well as long as I have my Personal Access Token(PAT) saved in the .npmrc but when I try to replace it with an environment variable like ${NPM_TOKEN} or ${NODE_AUTH_TOKEN} or ${GITHUB_TOKEN}, it fails with a 401 error.

My .npmrc looks like this now and it is failing:

registry=https://registry.npmjs.com
@my-org:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
always-auth=true

My GitHub Action workflow looks like this:

name: component_4 publish

on:
  push:
    branches:
     - main

jobs:
  publish-gpr:


    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - run: npm ci
      - run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I tried to replace my hardcoded PAT with an environment variable and it fails to authenticate.

GuiFalourd
  • 15,523
  • 8
  • 44
  • 71
Mani Shankar
  • 33
  • 2
  • How did you save your PAT? Because there is a syntax to follow for secrets name on the [official documentation](https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets), and that might be related to your issue here. – GuiFalourd Nov 17 '22 at 16:56
  • I saved my PAT as GH_TOKEN and NPM_TOKEN. It's the same PAT but I was trying different things and I created GH_TOKEN under environment secrets and NPM_TOKEN under Repository secrets. – Mani Shankar Nov 17 '22 at 16:59
  • Ok. Did you try using something else instead of GITHUB_TOKEN for the env variable name as well? Or is it a pattern you saw somewhere? – GuiFalourd Nov 17 '22 at 17:13
  • In the GitHub actions workflow, GITHUB_TOKEN is a default environment variable that works without any issues. In the .npmrc file I tried a few variants and none worked. – Mani Shankar Nov 17 '22 at 17:16
  • In this [article](https://github.blog/2021-03-04-4-things-you-didnt-know-you-could-do-with-github-actions/) I saw an example with both `NPM_TOKEN` and `GITHUB_TOKEN` as env variables in the step calling the `npx semantic-release` command. That may be the a solution if you want to try. – GuiFalourd Nov 17 '22 at 17:18
  • Tried that as well. It did not work. So, the question I have now is, does .npmrc not have visibility to the environment variables I created in my CI platform? – Mani Shankar Nov 17 '22 at 18:02
  • I had the same idea but decided to put the access token into my users .npmrc file in the home folder. This allows you to use the access token in multiple project without the need for a project specific configuration. – Yannick Nov 23 '22 at 23:00

0 Answers0