The project's local development environment makes it mandatory to have a .npmrc
file with the following content:
registry=https://registry.npmjs.org/
@my-organization:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=your-GitHub-token-should-be-here-and-I-will-not-share-my-for-security-reasons
Hence, any client properly authenticated into the GitHub Packages Registry can install our private NPM packages hosted for free on GitHub Registry by running:
npm ci @my-organization/our-package
Ok, it works on my local development environment.
Now, I am building a Continuous Integration process with GitHub Actions which is a different but similar challenge. I have this on my .yaml
file:
- name: Create .npmrc for token authentication
uses: healthplace/npmrc-registry-login-action@v1.0
with:
scope: '@my-organization'
registry: 'https://npm.pkg.github.com'
# Every user has a GitHub Personal Access Token (PAT) to
# access NPM private repos. The build of GitHub Actions is
# symmetrical to what every developer on the project has to
# face to build the application on their local development
# environment. Hence, GitHub Actions also needs a Token! But,
# it is NOT SAFE to insert the text of a real token on this
# yml file. Thus, the institutional workaround is to insert
# the `{{secret}}` below which is aligned/set in the project
# settings on GitHub!
auth-token: ${{secrets.my_repo_secret_key_which_is_not_being_shared}}
On GitHub settings->secrets->actions->"add secret"
:
On the secret
value, I added the same content I have on .npmrc
.
I was expecting it to work. Unfortunately, an error message is retrieved:
Error: fatal: could not read Username for 'https://github.com': terminal prompts disabled
Why is that so?
I made the mistake of adding all the content on my .npmrc
.
It is wrong. And GitHub already knows some things, such as the scope. @my-organization
.
Hence, the solution is only adding the following snippet (using the example provided on the question):
your-GitHub-token-should-be-here-and-I-will-not-share-my-for-security-reasons
And it works as expected :)