Npm publish - secrets.GITHUB_TOKEN not used because .npmrc exists

[elexisvenator]

I have the following workflow to create and publish a npm package to github packages. It was copied verbatim from another repository where it works without issue. However for this repo it says that the token (the built in GITHUB_TOKEN) is missing scopes.

# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
name: Publish
on:

push:

branches:

- master
jobs:

release:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v2

- uses: actions/setup-node@v1

with:

node-version: 12

registry-url: https://npm.pkg.github.com/

scope: '@pageuppeopleorg'

- run: npm i

- run: npm run create

- name: Bump version and push tag

id: tag

uses: anothrNick/github-tag-action@1.17.2

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

WITH_V: true

RELEASE_BRANCHES: master

DEFAULT_BUMP: patch

- name: version

run: npm --no-git-tag-version --allow-same-version version ${{ steps.tag.outputs.tag }}

- name: publish

run: npm publish

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Result of the publish step:

npm notice 
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://npm.pkg.github.com/@pageuppeopleorg%2fpageup-ui-gateway-deploy-tool - Your token has not been granted the required scopes to execute this query. The 'createPackageVersion' field requires one of the following scopes: ['write:packages'], but your token has only been granted the: ['read:packages', 'repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.

As far as I am aware, the secrets.GITHUB_TOKEN should have packages:write. So I have no idea what i going on here. Anyone seen something similar?

[elexisvenator]

UPDATE: Turns out the issue is that i had a .npmrc file checked in. The file has a token that granted read package access to github packages.

Checking this file in was intentional and a pattern we use in our private repositories. So I will change the question to: How do I get npm to use the secrets.GITHUB_TOKEN when a .npmrc file already exists?

[BrightRan]

@elexisvenator,

At first, you need to understand the restrictions of the GITHUB_TOKEN:

The permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

This means the scope of the GITHUB_TOKEN is only inside of the repository where the current workflow is running. If the scope you require is beyond the current repository, you need to create a personal access token to obtain more scopes.
You can reference the docs about Authenticating with the GITHUB_TOKEN to view more details.

If you have configured a .npmrc file for your npm package and want to use the GITHUB_TOKEN in the .npmrc file, you need to do the steps below:

1. In the workflow file,

• when setup node, do not set registry-url on the setup-node action.
• set secrets.GITHUB_TOKEN as an environment variable in the workflow.

- name: setup node
  uses: actions/setup-node@v1
  with:
    node-version: 12
. . .

name: publish

run: npm publish

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2. In the .npmrc file use the variable name you set in the workflow file to access the environment variable for the GITHUB_TOKEN.

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

The following is a simple example as reference.:

github.com

TestGitHubPackagesRML/TestNpm/blob/080990526adbb61b0365e4b207d972de7d46dc77/.npmrc

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
registry=https://npm.pkg.github.com/testgithubpackagesrml

github.com

TestGitHubPackagesRML/TestNpm/blob/080990526adbb61b0365e4b207d972de7d46dc77/.github/workflows/CI.yml

# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
name: CI
on: push
env:

MAIN_VER: 1
jobs:

publish_gpr:

name: Publish to GitHub Packages Registry

runs-on: ubuntu-latest

steps:

- name: Checkout code

uses: actions/checkout@v2
  - name: Setup node
    uses: actions/setup-node@v1

This file has been truncated. show original

[elexisvenator]

Hi @brightran,
Thanks for the reply :slight_smile: The .npmrc file has a different token in it, more restrictive than the GITHUB_TOKEN. I want to leave that there, but for the the github action workflow (specifically the publish step) I want to override the usage of that token with the GITHUB_TOKEN instead.

[BrightRan]

@elexisvenator,

You can try to use the sed command to replace the token with the GITHUB_TOKEN in the .npmrc file, before executing the publish step. Here you also may need using regular expression in the sed command.
A simple example as reference:

- name: replace token
  run: echo "$(sed 's/\(_authToken=\)[a-z0-9]*\($\)/\1${{ env.GITHUB_TOKEN }}\2/g' .npmrc)" > .npmrc
  env:
    GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

[elexisvenator]

Thanks @brightran, the sed command worked for me 😃

[vprasanth]

Using just wrap a npm preinstall step to echo //npm.pkg.github.com/:_authToken=$GITHUB_TOKEN >> .npmrc