Installing packages from github npm registry - auth error 401 - github

I have just published a private package on GitHub, trying to figure out how it should be working. now I'm trying to install it in another project. I authenticated with npm login --registry=https://npm.pkg.github.com with an access token that has write:packages, read:packages and repo privileges. While trying to run npm install https://npm.pkg.github.com/#orgname/package-name I get an error message:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
How can I add/get this privilege?

You need to generate a personal access token on Github and add it to your npm config in addition to setting the registry in the npm config:
In Github navigate to https://github.com/settings/tokens (Settings > Developer settings > Personal access tokens) and you should see something like this:
Click Generate new token
From the permissions select at least read:packages
Click Generate token and copy the token
Add the following to your local .npmrc:
#${OWNER}:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${TOKEN}
See the relevant Github Packages documentation
Related: For Github Actions, be aware of the difference between the GITHUB_TOKEN and a personal access token. The Github Token's permissions are limited to the repository that contains your workflow. For anything else (including granular permissions beyond those allowed for the Github Token) you need a personal access token.

Apparently I'm an idiot who can't read documentation and missed that part:
In the same directory as your package.json file, create or edit an .npmrc file to include a line specifying GitHub Packages URL and the account owner. Replace OWNER with the name of the user or organization account that owns the repository containing your project.
registry=https://npm.pkg.github.com/OWNER

One other thing to check (this took me a while to realize):
I was getting the specified error:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
Even though I thought I was correctly supplying a GITHUB TOKEN with the needed permissions.
I had set my github action to set the NODE_AUTH_TOKEN from the organization secret named GPR_PRIVATE_READ_TOKEN, which was working in another repo.
Turns out the issue was that the secret was defined to only be available to private repositories and I was trying to use it in a public repository. When I made the secret available to public repositories everything worked.
My workflow job looked like this (I'm showing all steps up to the install step in case it's helpful to someone to see):
jobs:
ci:
name: Run Tests
steps:
- name: Use Node.js 12.x
uses: actions/setup-node#v1
with:
node-version: 12.x
registry-url: https://npm.pkg.github.com/
- uses: actions/checkout#v2
- name: Install dependencies based on package-lock.json
run: npm ci
env:
NODE_AUTH_TOKEN: ${{ secrets.GPR_PRIVATE_READ_TOKEN }}

If your problem still persist, please be sure that your package name is in correct format.

The above answer was the solution for me. The updated version is documented as.
Additionally, I had to ensure my PAT (personal access token) was authorized to access my organization repository.

I was struggling to figure out why the .npmrc file would only work if I placed my PAT in plaintext in the file, which just seemed daft!
The fix is to set the "TOKEN" environment variable as part of your workflow file. I have:
- run: npm install
env:
TOKEN: ${{ secrets.TOKEN }}
The secrets.TOKEN above refers to a Repository secret that I created for the repository that needs to access github packages:
(Repository > Settings > Security > Secrets > Actions)
And the value of this secret was copied from a Personal Access Token I created for myself that only has read:packages scope:
(User settings > Developer settings > Personal Access Tokens > Tokens (classic))
It's also reassuring to see that it detects the usage of this token!
Finally, my .npmrc file contains:
#shiraze:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${TOKEN}
I'm using my own username rather than the organisation name as that works for me. I think I could use the organisation name when I upgrade to Github Enterprise.

This is what worked with me
C:\Program Files\nodejs\node_modules\npm\npmrc
update the file here & your error will be resolved

Related

npm ERR! 401 Unauthorized - Unauthenticated: User cannot be authenticated with the token provided

I am new to GitHub and I have created a ACTIONS in GitHub Enterprise 3.7 to publish the package to GitHub Package.
But the job failed with log as below:
I have setup the Repository Token as shown below:
The value of Token I have retrieved from here
and assign to value for REPOSITORY secret NPM_TOKEN
However, it just said the TOKEN cannot be authenticate. Any idea where I doing wrong?
***Add on - The ACTIONS will run success if I assign the TOKEN value where I get from my GitHub Access token (Setup in GitHub.com but not GitHub Enterprise), ACTION will run success. However, the published package will only show in my GitHub but not in my GitHub Enterprise.
GitHub Enterprise Account will not able to see that Published Package.

Github Actions cannot find NuGet package hosted in GitHub Packages

I have a GitHub organisation set up and within that are two private repositories: Library and App. I have managed to configure a GitHub Action for the Library repository to create a NuGet package and push it to nuget.pkg.github.com. I added the Library package as a dependency to the App project and can fetch these locally using a configured Personal Access Token. I am now working on the GitHub Action to build and run unit tests on the App project.
I have added a step to the workflow to add the NuGet package source
- name: Set package source
run: dotnet nuget add source --username USERNAME --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/REDACTED/index.json"
This is exactly the same line as is used when pushing the package, but when I reach the dotnet restore step later I get the following error:
/home/runner/work/App/App/App.Services/App.Services.csproj : error NU1101:
Unable to find package Library. No packages exist with this id in source(s): github, nuget.org [/home/runner/work/App/App/App.sln]
I understand that it is likely possible to work around this by adding a new Personal Access Token to the secrets of the App repository, but would prefer to rely on GITHUB_TOKEN if possible for both the security and management benefits.
According to GitHub, installing packages hosted with GitHub Packages requires minimal configuration using GITHUB_TOKEN. And by default, GITHUB_TOKEN has both read and write permissions for packages.
This question is different from this one as that relates to an issue with empty NuGet.config files which has since been resolved.
I hit the same problem, GITHUB_TOKEN can be used to push packages but not pull packages from other repos within the same organisation. This thread has a lot of people complaining about it: https://github.com/actions/setup-node/issues/49. I was unable to get any of the workarounds there working for me, and had no option in GitHub to grant specific permissions to repositories in the organisation for packages. Had to use a PAT in the end.

Personal Access Tokens for install Github npm packages

I managed to publish a simple test package on the Github packageregistry using this tutorial : https://docs.github.com/en/packages/quickstart
Now, if I understand correctly, to use it in a project I have to create a .npmrc file with the following lines :
#OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=PAT
1- If somebody else wants to install my public package, do I need to provide them my own PAT ? Or can you install any Github public package with your own PAT ?
2- How can I hide my PAT from the .npmrc file ? I tried to setup a TOKEN variable in my .env file (located in the same directory as the .npmrc file) and calling it with ${TOKEN}, but it doesn't seem to work (authentication fails when running npm install, while inserting the same PAT directly in the file it works).
Thanks
1: Any PAT with the read:packages scope can read public packages. You don't need to provide your own PAT to anyone. See docs for details.
2: npm doesn't read from local .env files. You need to export the PAT as an environment variable (export TOKEN="ABC123"). Then you can use it with ${TOKEN} when calling the registry.
Looks like you'll have to export your PAT from your local machine's shell since .npmrc does not read the .env file.
Please see the following thread:
https://stackoverflow.com/a/55578270/6026781

Installing public npm packages from the GitHub package registry

1.I publish a public package in an organization repo.
The repo link : https://github.com/JX3BOX/jx3box-config/packages/141887
2.And I wanna install the package from another repo.
I had set the dependencies in the package.json
"dependencies": {
"#jx3box/jx3box-config": "^1.0.3",
and I created a file named .npmrc ,and set :
#jx3box:registry=https://npm.pkg.github.com
3.When I use github actions to build
There is an error occur
Running build scripts... npm install && npm run build
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
It means maybe I need auth.But This is an public package.Is it should be auth too?
4.Now I had to prepend a line in the file .npmrc,just like
//npm.pkg.github.com/:_authToken=<mytoken>
But how can I set it in the actions .
or because this is a public pkg,how can I don't need any auth?
Thanks a lot!! ^_^
This is probably solved but posting anyway because this question ranks high on Google.
From the GitHub Docs:
You need an access token to publish, install, and delete packages. You can use a personal access token to authenticate with your username directly to GitHub Packages or the GitHub API.[...]
You cannot install packages (even public ones) from the GitHub npm registry without being authenticated.
More details and multiple authentication methods here:
https://docs.github.com/en/packages/guides/configuring-npm-for-use-with-github-packages#authenticating-to-github-packages
The docs should be updated.
You need an access token to publish, install, and delete packages.
This should really be changed to;
You need an access token to publish, install, and delete both private and public packages.

How to use Heroku config vars with GitHub to install remote private repo?

I would like to remove my user name and personal access token from the package.json file in my React application.
The package being installed is a private remote GitHub repository for which I am the owner.
The request is being made over the HTTPS protocol.
E.g: "react-trello": "https://username:token#github.com/username/react-trello.git#dev/branch"
I have a PAT issued from GitHub. But I'm having trouble accessing them in the package.json file in my project.
Should I create Heroku config vars with the PAT value?
heroku config:set -a my-app GITHUB-TOKEN=466ghdf57
In Heroku config you can set variable names to use with GitHub. How do I set my user name, password and token? As Heroku config variables?
E.g: USERNAME, GITHUB-USER, TOKEN, GITHUB-TOKEN.
I've tried creating variables such as USERNAME, TOKEN, GITHUB_USER. But it doesn't work if I remove my credentials from the package.json file.
E.g: "react-trello": "https://github.com/username/react-trello.git#dev/branch".
I get an error: Fatal: Could not read Username for "https://github.com".
Am I missing something?
Heroku doesn't provide this out of the box, and package.json doesn't natively support environment variables.
One option is to build your dependency as an NPM packages and publish it on a private package repository, e.g. Gemfury, whose Heroku addon has a free plan supporting a single private module.
Briefly, you can publish your module to Gemfury with https://npm-proxy.fury.io/APPID/, followed by npm login and npm publish. Then, in the Heroku app that depends on your private module, add a .npmrc file containing
always-auth=true
registry=https://npm-proxy.fury.io/APPID/
//npm-proxy.fury.io/APPID/:_authToken=${FURY_AUTH}
and set a Heroku config var FURY_AUTH containing your Gemfury auth token.
This does mean you'll have to update your published library on Gemfury before the dependent application will see changes you make to it. This is probably a good idea anyway; depending on specific tagged releases is safer than depending on mutable branches.
There is also this workaround which may let you effectively inject environment variables into your package.json, but I haven't tried it.