Suddenly started receiving 403 Forbidden when fetching private packages in Github Actions

[valdemarrolfsen]

Hi,

Today we suddenly started receiving 403 Forbidden when installing private packages in an action:

error An unexpected error occurred: "https://npm.pkg.github.com/download/<our-org>/<package-name>/<version>/c465454e5b804aedd348669764fb1bc7ae6a68ec: Request failed \"403 Forbidden\"".

The issue only occurred for a new package published today and we noticed that Github recently (have not seen it before at least) has extended package settings in order to define permissions for packages. However, when updating the permissions to match previous packages we are still getting the 403 from actions.

Locally we are able to install the packages but for some reason the standard GITHUB_TOKEN or ${{ github.token }} does not have the right permissions. (The GitHub token has the default permissions read/write permissions on the organization level.)

[aron-hivebrite]

I got the same problem when I did:
yarn add my-package

➤ YN0027: my-package@unknown can't be resolved to a satisfying range
➤ YN0035: The remote server failed to provide the requested resource
➤ YN0035: Response Code: 403 (Forbidden)
➤ YN0035: Request Method: GET
➤ YN0035: Request URL: https://npm.pkg.github.com/my-package

Do you have any aidea?

[trondtactile]

We had the same issue, sort of. We have no issue downloading packages from new package repositories, however, we have problems querying for package versions.

What we found is that new package repositories do not have the Inherit access from source repository enabled by default.
HOWEVER... enabling this setting allowed us to query package versions using Github API, but NOT GraphQL... So something seems to be broken internally.

Also, Inherit access from source repository does not seem to be exposed for manipulation by their API, which sucks...

[ashwch]

In my case the issue was the billing limit, yarn add still shows just 403(even with --verbose) but using npm add we got:

npm ERR! 403 403 Forbidden - GET https://npm.pkg.github.com/download/***** - Permission permission_denied: Account has reached its billing limit. Contact support or your organization admin to increase the quota. https://docs.github.com/en/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-packages

[tom-sherman]

I just ran into this. For me the problem was that I had set some permissions incorrectly in my job. contents: read was assumed by default, in my workflow I had:

permissions:
  id-token: write

This permissions block doesn't extend the default settings, it instead overwrites it. So the above yaml implicitly has contents: none. The fix was quite simple, just apply the contents: read permission explicitly. Note that metadata: read is also part of the defaults, so you may need to set that also if you run into the same scenario.

The fixed yaml:

 permissions:
   id-token: write
+  contents: read