github-actionsyarnpkggithub-package-registrygithub-packages

Workflow with private package and yarnrc.yml reference results in 403 from registry-url

I am setting up a new GitHub Actions workflow which requires installing dependencies with yarn which includes a private package hosted on GitHub Packages. For local development, we have a .yarnrc.yml file:

nodeLinker: node-modules

yarnPath: .yarn/releases/yarn-3.6.4.cjs
npmScopes:
  ourCustomScope:
    npmRegistryServer: https://npm.pkg.github.com
    npmAuthToken: ${GITHUB_PACKAGES_TOKEN}

So I create my workflow as follows:

name: CI - Lint
on:
  push:
    branches:
      - main
      - dev
  pull_request:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  GITHUB_PACKAGES_TOKEN: ${{secrets.GITHUB_TOKEN}}
    
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'
          cache: 'yarn'
          registry-url: https://npm.pkg.github.com
          scope: '@ourCustomScope'
      - name: Install dependencies
        run: yarn --immutable
        env:
          GITHUB_PACKAGES_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Lint & Format
        run: yarn lint

The workflow fails during the Install Dependencies step:

Run yarn --immutable
➤ YN0000: ┌ Resolution step
Resolution step
➤ YN0000: └ Completed in 0s 576ms
➤ YN0000: ┌ Fetch step
Fetch step
➤ YN0035: @ourCustomScope/our-package@npm:0.5.0::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40ourscope%2Four-package%2F0.5.0%2Fefc87a511fa65b9572efce9df2c50342b4864bbc: The remote server failed to provide the requested resource
➤ YN0035:   Response Code: 403 (Forbidden)
➤ YN0035:   Request Method: GET
➤ YN0035:   Request URL: https://npm.pkg.github.com/download/@ourScope/our-package/0.5.0/efc87a511fa65b9572efce9df2c50342b4864bbc
➤ YN0000: └ Completed in 2m 29s
➤ YN0000: Failed with errors in 2m 30s
Error: Process completed with exit code 1.

Why the 403? Is my setup incorrect?

Solution

  • .yarnrc.yml does not support resolving environment variables. You need to set it in the workflow via

    yarn config set 'npmRegistries["//npm.pkg.github.com"].npmAuthToken' "${{secrets.GITHUB_TOKEN}}"

    or

    yarn config set 'npmScopes.ourCustomScope.npmAuthToken' "${{secrets.GITHUB_TOKEN}}"