I managed to publish a simple test package on the Github packageregistry using this tutorial : https://docs.github.com/en/packages/quickstart
Now, if I understand correctly, to use it in a project I have to create a .npmrc file with the following lines :
#OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=PAT
1- If somebody else wants to install my public package, do I need to provide them my own PAT ? Or can you install any Github public package with your own PAT ?
2- How can I hide my PAT from the .npmrc file ? I tried to setup a TOKEN variable in my .env file (located in the same directory as the .npmrc file) and calling it with ${TOKEN}, but it doesn't seem to work (authentication fails when running npm install, while inserting the same PAT directly in the file it works).
Thanks
1: Any PAT with the read:packages scope can read public packages. You don't need to provide your own PAT to anyone. See docs for details.
2: npm doesn't read from local .env files. You need to export the PAT as an environment variable (export TOKEN="ABC123"). Then you can use it with ${TOKEN} when calling the registry.
Looks like you'll have to export your PAT from your local machine's shell since .npmrc does not read the .env file.
Please see the following thread:
https://stackoverflow.com/a/55578270/6026781
Related
I am using Azure CI/CD pipelines for Flutter build. In my Pubspec yaml file, I have dependencies that are private to my project and the code is hosted in same azure devops project but in different repository. During Build (i.e. Flutter Packages get) it gives me error saying Authentication failed?. I tried with PAT token where in prior to flutter build task i used git command to set that token, but it didn't solve the issue. Can anyone help me out?
I am open to being shown a better way but these are the steps I took to solve this issue a little while ago.
Assuming you are referencing the package in your pubspec.yaml using git over ssh on azure devops like:
repo_name:
git:
ref: 'tag or other identifier'
url: you#vs-ssh.visualstudio.com:v3/you/project/repo_name
Generate a new ssh key pair on your machine.
Upload the private key to the library secure files section on azure devops.
Add the install ssh key task to your azure pipelines build, using the key pair generated in the previous steps and referencing the private key uploaded to the secure files library. link
Upload the public key to your list of public keys. (This step I'm not 100% sure is necessary but I did it initially and things have worked so I haven't changed removed it)
So in my azure-pipelines.yaml the install ssh key step looks kinda like this where id_rsa is the name of the private key in my secure files.
- task: InstallSSHKey#0
inputs:
knownHostsEntry: 'vs-ssh.visualstudio.com, ...etc'
sshPublicKey: 'ssh-rsa ...etc'
sshKeySecureFile: id_rsa
A private feed is created with permissions such that only you have access.
The build agent run with user(build service account), give to this user permissions in the feed. From Feed settings->Permissions, assign your build service account owner permission.
Also verify the token is working, make sure you have selected sufficient scopes for this token to authorize for your specific tasks.
Besides try adding a variable system.debug with a value of true you’ll get more information in the failure. That might help pinpoint the problem.
1.I publish a public package in an organization repo.
The repo link : https://github.com/JX3BOX/jx3box-config/packages/141887
2.And I wanna install the package from another repo.
I had set the dependencies in the package.json
"dependencies": {
"#jx3box/jx3box-config": "^1.0.3",
and I created a file named .npmrc ,and set :
#jx3box:registry=https://npm.pkg.github.com
3.When I use github actions to build
There is an error occur
Running build scripts... npm install && npm run build
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
It means maybe I need auth.But This is an public package.Is it should be auth too?
4.Now I had to prepend a line in the file .npmrc,just like
//npm.pkg.github.com/:_authToken=<mytoken>
But how can I set it in the actions .
or because this is a public pkg,how can I don't need any auth?
Thanks a lot!! ^_^
This is probably solved but posting anyway because this question ranks high on Google.
From the GitHub Docs:
You need an access token to publish, install, and delete packages. You can use a personal access token to authenticate with your username directly to GitHub Packages or the GitHub API.[...]
You cannot install packages (even public ones) from the GitHub npm registry without being authenticated.
More details and multiple authentication methods here:
https://docs.github.com/en/packages/guides/configuring-npm-for-use-with-github-packages#authenticating-to-github-packages
The docs should be updated.
You need an access token to publish, install, and delete packages.
This should really be changed to;
You need an access token to publish, install, and delete both private and public packages.
I have just published a private package on GitHub, trying to figure out how it should be working. now I'm trying to install it in another project. I authenticated with npm login --registry=https://npm.pkg.github.com with an access token that has write:packages, read:packages and repo privileges. While trying to run npm install https://npm.pkg.github.com/#orgname/package-name I get an error message:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
How can I add/get this privilege?
You need to generate a personal access token on Github and add it to your npm config in addition to setting the registry in the npm config:
In Github navigate to https://github.com/settings/tokens (Settings > Developer settings > Personal access tokens) and you should see something like this:
Click Generate new token
From the permissions select at least read:packages
Click Generate token and copy the token
Add the following to your local .npmrc:
#${OWNER}:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${TOKEN}
See the relevant Github Packages documentation
Related: For Github Actions, be aware of the difference between the GITHUB_TOKEN and a personal access token. The Github Token's permissions are limited to the repository that contains your workflow. For anything else (including granular permissions beyond those allowed for the Github Token) you need a personal access token.
Apparently I'm an idiot who can't read documentation and missed that part:
In the same directory as your package.json file, create or edit an .npmrc file to include a line specifying GitHub Packages URL and the account owner. Replace OWNER with the name of the user or organization account that owns the repository containing your project.
registry=https://npm.pkg.github.com/OWNER
One other thing to check (this took me a while to realize):
I was getting the specified error:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
Even though I thought I was correctly supplying a GITHUB TOKEN with the needed permissions.
I had set my github action to set the NODE_AUTH_TOKEN from the organization secret named GPR_PRIVATE_READ_TOKEN, which was working in another repo.
Turns out the issue was that the secret was defined to only be available to private repositories and I was trying to use it in a public repository. When I made the secret available to public repositories everything worked.
My workflow job looked like this (I'm showing all steps up to the install step in case it's helpful to someone to see):
jobs:
ci:
name: Run Tests
steps:
- name: Use Node.js 12.x
uses: actions/setup-node#v1
with:
node-version: 12.x
registry-url: https://npm.pkg.github.com/
- uses: actions/checkout#v2
- name: Install dependencies based on package-lock.json
run: npm ci
env:
NODE_AUTH_TOKEN: ${{ secrets.GPR_PRIVATE_READ_TOKEN }}
If your problem still persist, please be sure that your package name is in correct format.
The above answer was the solution for me. The updated version is documented as.
Additionally, I had to ensure my PAT (personal access token) was authorized to access my organization repository.
I was struggling to figure out why the .npmrc file would only work if I placed my PAT in plaintext in the file, which just seemed daft!
The fix is to set the "TOKEN" environment variable as part of your workflow file. I have:
- run: npm install
env:
TOKEN: ${{ secrets.TOKEN }}
The secrets.TOKEN above refers to a Repository secret that I created for the repository that needs to access github packages:
(Repository > Settings > Security > Secrets > Actions)
And the value of this secret was copied from a Personal Access Token I created for myself that only has read:packages scope:
(User settings > Developer settings > Personal Access Tokens > Tokens (classic))
It's also reassuring to see that it detects the usage of this token!
Finally, my .npmrc file contains:
#shiraze:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${TOKEN}
I'm using my own username rather than the organisation name as that works for me. I think I could use the organisation name when I upgrade to Github Enterprise.
This is what worked with me
C:\Program Files\nodejs\node_modules\npm\npmrc
update the file here & your error will be resolved
We have an Angular project in an Azure repo that references another private Azure project/Repo in the packages.json file under dependencies. The project builds fine locally for all developers, but fails in the Azure Pipeline with Authentication failed. What is the correct way to pull code from a private Azure repo into another projects build pipeline?
I changed the access protocol from ssh to https and have done a lot of reading about how to accomplish this. I have read about the personal access tokens, but this doesn't seem like a good solution.
"core-js": "^2.5.4",
"xxx": "git+https://xxx#dev.azure.com/xxx/xxx#master",
"date-fns": "^1.30.1",
Note: The error is saying fatal: Authentication failed for 'https://dev.azure.com/..., which doesn't include the provided username in the dependency url.
Agree with yours. I also think that using PAT token is not a security way, because it does not expose the token exactly.
If you want to use SSH, you need first sure that the repos you want to install has a package.json at root.
And then, generate a pair of public/private key with the command: vssh-keygen -t rsa. After that, you can follow this doc: Use SSH key authentication to install them into your org.
Clone the repos with SSH, and this will make your client accept the fingerprint expressed by the server. Then, go repos page, get the SSH URI to cloning your repos and add it into the dependencies section of your package.json file:
"dependencies": {
"testproj": "git+ssh://account#ssh.visualstudio.com:v3/{org name}/{project name}/{repos name}"
}
I would like to remove my user name and personal access token from the package.json file in my React application.
The package being installed is a private remote GitHub repository for which I am the owner.
The request is being made over the HTTPS protocol.
E.g: "react-trello": "https://username:token#github.com/username/react-trello.git#dev/branch"
I have a PAT issued from GitHub. But I'm having trouble accessing them in the package.json file in my project.
Should I create Heroku config vars with the PAT value?
heroku config:set -a my-app GITHUB-TOKEN=466ghdf57
In Heroku config you can set variable names to use with GitHub. How do I set my user name, password and token? As Heroku config variables?
E.g: USERNAME, GITHUB-USER, TOKEN, GITHUB-TOKEN.
I've tried creating variables such as USERNAME, TOKEN, GITHUB_USER. But it doesn't work if I remove my credentials from the package.json file.
E.g: "react-trello": "https://github.com/username/react-trello.git#dev/branch".
I get an error: Fatal: Could not read Username for "https://github.com".
Am I missing something?
Heroku doesn't provide this out of the box, and package.json doesn't natively support environment variables.
One option is to build your dependency as an NPM packages and publish it on a private package repository, e.g. Gemfury, whose Heroku addon has a free plan supporting a single private module.
Briefly, you can publish your module to Gemfury with https://npm-proxy.fury.io/APPID/, followed by npm login and npm publish. Then, in the Heroku app that depends on your private module, add a .npmrc file containing
always-auth=true
registry=https://npm-proxy.fury.io/APPID/
//npm-proxy.fury.io/APPID/:_authToken=${FURY_AUTH}
and set a Heroku config var FURY_AUTH containing your Gemfury auth token.
This does mean you'll have to update your published library on Gemfury before the dependent application will see changes you make to it. This is probably a good idea anyway; depending on specific tagged releases is safer than depending on mutable branches.
There is also this workaround which may let you effectively inject environment variables into your package.json, but I haven't tried it.