Skip to content

Instantly share code, notes, and snippets.

@nandorojo

nandorojo/private-npm-in-gh-actions.md

Created August 3, 2021 23:52
Show Gist options
  • Save nandorojo/46b3e46de12177b9ad7e4d454310de21 to your computer and use it in GitHub Desktop.
Save nandorojo/46b3e46de12177b9ad7e4d454310de21 to your computer and use it in GitHub Desktop.
Download ZIP
Use private NPM packages in your GitHub actions
Raw
private-npm-in-gh-actions.md

1 NPM_TOKEN

Add an NPM_TOKEN secret on GitHub. Get your secret key from the NPM dashboard.

2 Add a step to your action

- name: Authenticate with private NPM package
  run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

A full example might look like:

name: Install cached packages
jobs:
  install-with-cache:
    name: Create new build on EAS
    runs-on: ubuntu-latest
    steps:
      - name: Setup repo
        uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: 14.x
      - name: Find yarn cache
        id: yarn-cache-path
        run: echo "::set-output name=dir::$(yarn cache dir)"
      - name: Restore cache
        uses: actions/cache@v2
        with:
          path: ${{ steps.yarn-cache-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-
      - name: Authenticate with private NPM package
        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
      - name: Install dependencies
        run: yarn install --frozen-lockfile --check-files
@pavelbinar
Copy link

Thank you!

@juliodialpad
Copy link

It works, thank you!

@nandorojo
Copy link
Author

I’m glad that this niche gist helped some internet strangers haha

@jamesmhaley
Copy link

And so it rolls on. +1 @nandorojo

@ssagli
Copy link

ssagli commented Sep 23, 2022

omg don't know how thankful I am to have found this gist ✨ Thank you so much!

@nandorojo
Copy link
Author

🕺

@tiholic
Copy link

tiholic commented Nov 5, 2022

A better way using GITHUB_TOKEN directly:

actions/setup-node#49 (comment)

@Emmanuerl
Copy link

Can someone help explain what this NPM_TOKEN is and how i can get it ?

@Namekkural
Copy link

I was having issues with private repos for a few weeks now. Something must have changed in the way the workers are set up.

for me this line didn't work anymore:
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

instead I had to change it to the absolute path that I only saw by accident because somehow the action printed it in the logs:
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > /home/runner/work/_temp/.npmrc

If someone knows why this changed or maybe why it only changed for us please let me know.
Hope this helps someone out there.

@Emmanuerl you can get this NPM_TOKEN from the npm registry you are using for your private package. We host ours on Github packages and get this token in the developer settings by creating a classic access token with read right to packages. Writing it to the .npmrc file is equal to logging in via npm login on the console but without the need for interactivity.

@Emmanuerl
Copy link

I was having issues with private repos for a few weeks now. Something must have changed in the way the workers are set up.

for me this line didn't work anymore: run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

instead I had to change it to the absolute path that I only saw by accident because somehow the action printed it in the logs: run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > /home/runner/work/_temp/.npmrc

If someone knows why this changed or maybe why it only changed for us please let me know. Hope this helps someone out there.

@Emmanuerl you can get this NPM_TOKEN from the npm registry you are using for your private package. We host ours on Github packages and get this token in the developer settings by creating a classic access token with read right to packages. Writing it to the .npmrc file is equal to logging in via npm login on the console but without the need for interactivity.

Thank you! I figured it out already and forgot to update this thread but i'm glad we now have a public reference!

@damusix
Copy link

damusix commented Jul 22, 2024

You probably want to say echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc to write to this project's npmrc, or just set ${{ secrets.NPM_TOKEN }} as whatever .env you use in the comitted file.

@Namekkural
Copy link

this is the way we have done it for years but suddenly it stopped working. The solution I posted above worked for me in the end. Maybe there is (or was) a symlink to .npmrc missing or something in the GitHub runners. In any case, I needed to change the path to the specific absolute path in order for it to work.

@LersCode
Copy link

Adding this to my action.yml worked like a charm. Thank you very much :)
- name: Authenticate with private NPM package
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment