Cant execute npm install if the package comes from a different organization using github app token

[lloydsanchez1201]

Select Topic Area

Question

Body

Hi, seeking some advise to how to resolve issue with permission/authentication when doing an npm install if the packages comes from a different organization. Here are the contexts:

FROM ORG 1

• Source Package: npm package (internal)
• Github App: allow the repository where the package is linked to with the following permission {"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}
• Github App: Generated private key token

FROM ORG 2 [This is where the npm install should be performed]

• Github Actions with corresponding secrets for the github app private token
• From the github actions, we utilized third-party actions to create a token = GITHUB_TOKEN
• Utilizing npmrc to authenticate with registry using the generated github token
• And here goes npm install, but failed

Upon triggering the workflow, its gets us to this error:

npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library 384ms (cache skip)
npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library-vue 194ms (cache skip)
npm verbose stack HttpErrorGeneral: 403 Forbidden - GET https://npm.pkg.github.com/@org%2fcomponents-library-vue - Permission installation not allowed to Read organization package

QUESTIONS:
So not sure this time if github supports similar strategy? Or you guys have done it before? Would you mind sharing your thought?
Is there something that needs to be done inside ORG 2's settings?

NOTE: We are leaning away from using PAT.

[qoomon]

Maybe my project could solve your use case, have a look at https://github.com/qoomon/actions--access-token

[lloydsanchez1201]

hmm we've been using this actually https://github.com/peter-murray/workflow-application-token-action.

[qoomon]

This is basically the same approach, however the private key of the GitHub app is never accessible by any GitHub actions run. Therefore you don't need to share a secret across multiple repositories or create an an GitHub app for everyone repository. With my approach you also have way more fine-grained access control options.

[grandmas-favorite]

Nice work @qoomon! This will certainly help others who experience this issue 😄

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬