1.I publish a public package in an organization repo.
The repo link : https://github.com/JX3BOX/jx3box-config/packages/141887
2.And I wanna install the package from another repo.
I had set the dependencies in the package.json
"dependencies": {
"#jx3box/jx3box-config": "^1.0.3",
and I created a file named .npmrc ,and set :
#jx3box:registry=https://npm.pkg.github.com
3.When I use github actions to build
There is an error occur
Running build scripts... npm install && npm run build
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
It means maybe I need auth.But This is an public package.Is it should be auth too?
4.Now I had to prepend a line in the file .npmrc,just like
//npm.pkg.github.com/:_authToken=<mytoken>
But how can I set it in the actions .
or because this is a public pkg,how can I don't need any auth?
Thanks a lot!! ^_^
This is probably solved but posting anyway because this question ranks high on Google.
From the GitHub Docs:
You need an access token to publish, install, and delete packages. You can use a personal access token to authenticate with your username directly to GitHub Packages or the GitHub API.[...]
You cannot install packages (even public ones) from the GitHub npm registry without being authenticated.
More details and multiple authentication methods here:
https://docs.github.com/en/packages/guides/configuring-npm-for-use-with-github-packages#authenticating-to-github-packages
The docs should be updated.
You need an access token to publish, install, and delete packages.
This should really be changed to;
You need an access token to publish, install, and delete both private and public packages.
Related
I have a package that I published to Github package repository and it was successful, still, I am not able to see this package in the packages section
https://i.stack.imgur.com/WV7fr.jpg
https://i.stack.imgur.com/kGOFG.png
Please refer to the attached screenshots, as seen npm publish is successful.
What could I be missing?
Packages are not visible as releases, they will be visible in packages section for your organization:
https://github.com/orgs/ORGANIZATION/packages
For personal packages:
https://github.com/USER?tab=packages
Keep in mind that packages won't be visible under the repository "Packages" section until their name is the same as a repository. It doesn't matter that you publish it from this repository action.
In case you don't have a resository with such a name - it will be created for you by GitHub.
I have been experiencing the same thing since Yesterday. I haven't tried with an already released package, but I can confirm new packages are not appearing neither in the org/user packages tab nor in the packages section of the repository despite the fact npm says that they have been published successfully.
Once you released the package and updated the repo but the package is not showing in the repo as here
Steps to link library to repo
Go to your profile on GitHub https://github.com/{your_user_name}?tab=packages. you must see the list of packages like here.
Click on the package that you need to link to repo. You must get link to repo or go to this link https://github.com/users/{your_user_name}/packages/npm/{your_package_name}/settings
Select the library repo.
You can now view the packages on the repo too.
You can add
"repository": {
"type": "git",
"url": "git+https://github.com/<user>/<repo>.git"
},
to the package.json. This allows the package to be correctly "mapped" to the repo.
As a workaround, you could use their List Packages API using GitHub CLI:
Make sure to have a classic token with the minimum required scopes: repo, read:org and read:packages
Authenticate with GitHub CLI using by opening your terminal and execute the following command :
gh auth login
These are the options I choose:
What is your preferred protocol for Git operations?
HTTPS
Authenticate Git with your GitHub credentials?
Yes
How would you like to authenticate GitHub CLI?
Paste an authentication token
Paste your authentication token:
****************************************
After you are authenticated, run the following command:
gh api \
-H "Accept: application/vnd.github+json" \
"/orgs/{YOUR_ORG}/packages?package_type={TYPE}"
// Type can be one of: npm, maven, rubygems, docker, nuget, container
A json will be printed, grab the package id:
...
{
"id": 1234567,
"name": "...",
"package_type": "...",
"owner": {
"login": "...",
...
Adapt the link with the package ID and paste into your browser:
https://github.com/{$ORG}/{$PROJECT}/packages/{$ID}
This could be due to package visibility.
In my organization, we recently started having issues where new releases of some packages had severe read restrictions. The way I identified this issue was this:
In the context of my personal account (or whatever scope you are consuming the packages from), check the packages for whatever repo/org you are having problems with. In our case I could not see the newest version of a package that was reported as successfully pushed in CI.
Get someone with admin access, preferably to the organization (if the repo belongs to an organization), have them check the same thing, and compare results. In our case the org admins could see the latest versions of the package.
If having the above problems, they can be fixed (in the short-term) by setting the package visibility levels by someone with admin access to the organization.
I have a GitHub organisation set up and within that are two private repositories: Library and App. I have managed to configure a GitHub Action for the Library repository to create a NuGet package and push it to nuget.pkg.github.com. I added the Library package as a dependency to the App project and can fetch these locally using a configured Personal Access Token. I am now working on the GitHub Action to build and run unit tests on the App project.
I have added a step to the workflow to add the NuGet package source
- name: Set package source
run: dotnet nuget add source --username USERNAME --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/REDACTED/index.json"
This is exactly the same line as is used when pushing the package, but when I reach the dotnet restore step later I get the following error:
/home/runner/work/App/App/App.Services/App.Services.csproj : error NU1101:
Unable to find package Library. No packages exist with this id in source(s): github, nuget.org [/home/runner/work/App/App/App.sln]
I understand that it is likely possible to work around this by adding a new Personal Access Token to the secrets of the App repository, but would prefer to rely on GITHUB_TOKEN if possible for both the security and management benefits.
According to GitHub, installing packages hosted with GitHub Packages requires minimal configuration using GITHUB_TOKEN. And by default, GITHUB_TOKEN has both read and write permissions for packages.
This question is different from this one as that relates to an issue with empty NuGet.config files which has since been resolved.
I hit the same problem, GITHUB_TOKEN can be used to push packages but not pull packages from other repos within the same organisation. This thread has a lot of people complaining about it: https://github.com/actions/setup-node/issues/49. I was unable to get any of the workarounds there working for me, and had no option in GitHub to grant specific permissions to repositories in the organisation for packages. Had to use a PAT in the end.
I managed to publish a simple test package on the Github packageregistry using this tutorial : https://docs.github.com/en/packages/quickstart
Now, if I understand correctly, to use it in a project I have to create a .npmrc file with the following lines :
#OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=PAT
1- If somebody else wants to install my public package, do I need to provide them my own PAT ? Or can you install any Github public package with your own PAT ?
2- How can I hide my PAT from the .npmrc file ? I tried to setup a TOKEN variable in my .env file (located in the same directory as the .npmrc file) and calling it with ${TOKEN}, but it doesn't seem to work (authentication fails when running npm install, while inserting the same PAT directly in the file it works).
Thanks
1: Any PAT with the read:packages scope can read public packages. You don't need to provide your own PAT to anyone. See docs for details.
2: npm doesn't read from local .env files. You need to export the PAT as an environment variable (export TOKEN="ABC123"). Then you can use it with ${TOKEN} when calling the registry.
Looks like you'll have to export your PAT from your local machine's shell since .npmrc does not read the .env file.
Please see the following thread:
https://stackoverflow.com/a/55578270/6026781
I have just published a private package on GitHub, trying to figure out how it should be working. now I'm trying to install it in another project. I authenticated with npm login --registry=https://npm.pkg.github.com with an access token that has write:packages, read:packages and repo privileges. While trying to run npm install https://npm.pkg.github.com/#orgname/package-name I get an error message:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
How can I add/get this privilege?
You need to generate a personal access token on Github and add it to your npm config in addition to setting the registry in the npm config:
In Github navigate to https://github.com/settings/tokens (Settings > Developer settings > Personal access tokens) and you should see something like this:
Click Generate new token
From the permissions select at least read:packages
Click Generate token and copy the token
Add the following to your local .npmrc:
#${OWNER}:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${TOKEN}
See the relevant Github Packages documentation
Related: For Github Actions, be aware of the difference between the GITHUB_TOKEN and a personal access token. The Github Token's permissions are limited to the repository that contains your workflow. For anything else (including granular permissions beyond those allowed for the Github Token) you need a personal access token.
Apparently I'm an idiot who can't read documentation and missed that part:
In the same directory as your package.json file, create or edit an .npmrc file to include a line specifying GitHub Packages URL and the account owner. Replace OWNER with the name of the user or organization account that owns the repository containing your project.
registry=https://npm.pkg.github.com/OWNER
One other thing to check (this took me a while to realize):
I was getting the specified error:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
Even though I thought I was correctly supplying a GITHUB TOKEN with the needed permissions.
I had set my github action to set the NODE_AUTH_TOKEN from the organization secret named GPR_PRIVATE_READ_TOKEN, which was working in another repo.
Turns out the issue was that the secret was defined to only be available to private repositories and I was trying to use it in a public repository. When I made the secret available to public repositories everything worked.
My workflow job looked like this (I'm showing all steps up to the install step in case it's helpful to someone to see):
jobs:
ci:
name: Run Tests
steps:
- name: Use Node.js 12.x
uses: actions/setup-node#v1
with:
node-version: 12.x
registry-url: https://npm.pkg.github.com/
- uses: actions/checkout#v2
- name: Install dependencies based on package-lock.json
run: npm ci
env:
NODE_AUTH_TOKEN: ${{ secrets.GPR_PRIVATE_READ_TOKEN }}
If your problem still persist, please be sure that your package name is in correct format.
The above answer was the solution for me. The updated version is documented as.
Additionally, I had to ensure my PAT (personal access token) was authorized to access my organization repository.
I was struggling to figure out why the .npmrc file would only work if I placed my PAT in plaintext in the file, which just seemed daft!
The fix is to set the "TOKEN" environment variable as part of your workflow file. I have:
- run: npm install
env:
TOKEN: ${{ secrets.TOKEN }}
The secrets.TOKEN above refers to a Repository secret that I created for the repository that needs to access github packages:
(Repository > Settings > Security > Secrets > Actions)
And the value of this secret was copied from a Personal Access Token I created for myself that only has read:packages scope:
(User settings > Developer settings > Personal Access Tokens > Tokens (classic))
It's also reassuring to see that it detects the usage of this token!
Finally, my .npmrc file contains:
#shiraze:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${TOKEN}
I'm using my own username rather than the organisation name as that works for me. I think I could use the organisation name when I upgrade to Github Enterprise.
This is what worked with me
C:\Program Files\nodejs\node_modules\npm\npmrc
update the file here & your error will be resolved
I’m trying to set up an operation where the only internet access to external repos is via artifactory server. I have followed the bower information on this web page http://www.jfrog.com/confluence/display/RTF/Bower+Repositories
I can successfully do the npm installs of bower-art-resolver as described (utilizing npm remote repository for npmjs in artifactory), but then trying to do the example bower install of bootstrap it fails because bower is attempting to find git://github.com/twbs/bootstrap.git and I don't have an access to github.com due to firewalls.
How do I make the full bower workflow work then if having the bower registry remote repository is not suffient to make the setup work? Is there some way that the artifactory VCS functions come into play? How would I make bower utilize that instead of trying to reach github.com?
This firewall scenario seems like a common use case for a repository server, so I'm sure I'm missing something.
Make sure you are doing the following:
(1) Create a remote repository in Artifactory proxying the Bower registry. Notice that Artifactory will need to access both the Bower registry and Github.
(2) Configure Bower to use the Artifactory repository you created in the previous step as the Bower registry. This should be done in the .bowerrc file, for example:
{
"registry": "http://localhost:8081/artifactory/api/bower/bower-repo"
}
(3) Use bower-art instead of bower when installing packages, for example:
bower-art install bootstrap