Workflow GITHUB_TOKEN not authorised to download packages from GitHub registry

[benjamin-guibert]

Select Topic Area

Question

Body

Following this documentation, I'm using the default GITHUB_TOKEN secret to download & publish packages from another repository of mine (same scope) on GitHub registry, from a workflow. Yarn is configured to use the environment variable GITHUB_TOKEN. When using the default GITHUB_TOKEN secret, I get a 403 (Forbidden) error when downloading the package.

When using a PAT (a secret named TOKEN that I define manually with write:packages right), it works fine, when not using any token, I get a different error. Therefore, I assume the token is well transmitted and there is a right issue.

What am I missing?

Thank you.

Here is my repository settings (Actions > General) :

• Allow all actions and reusable workflows: Any action or reusable workflow can be used, regardless of who authored it or where it is defined.
• Read & write permissions: Workflows have read and write permissions in the repository for all scopes.

Here is a test workflow (link here):

name: Test Token

on:
  workflow_dispatch:

jobs:
  # Fail
  github:
    name: Test GitHub Token
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: Install dependencies
        run: yarn install
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  # Success
  pat:
    name: Test PAT
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: Install dependencies
        run: yarn install
        env:
          GITHUB_TOKEN: ${{ secrets.TOKEN }}

[helloint]

Hi @benjamin-guibert, have you resolved your issue? I have run into the same issue.
I think #53343 and #43521 are talking about the same issue.

[benjamin-guibert]

Hello, no I switched to a PAT. 😢

[dumitrux]

I'm afraid it is not possible to download other repositories using the GITHUB_TOKEN. As stated in the provided Automatic token authentication documentation, this token is specifically designed with limited permissions that only apply to the repository where your workflow resides.
Documentation quote:

The token's permissions are limited to the repository that contains your workflow.

Even if there were a method to modify the permissions for the GITHUB_TOKEN, those permissions would still only be applicable to the same repository where the workflow is located.

[helloint]

Thanks @dumitrux and @benjamin-guibert to share your experience and thoughts.
I think @dumitrux is correct, the repos GITHUB_TOKEN is limited inside the repo level, which makes it impossible to install the packages that is published under the orgs Packages.
The key reason I want to use GITHUB_TOKEN to install the packages, is that the 'Billing and plans' said that installing packages via GITHUB_TOKEN, the data transfer is free.

All data transferred out, when triggered by GitHub Actions, and data transferred in from any source is free. We determine you are downloading packages using GitHub Actions when you log in to GitHub Packages using a GITHUB_TOKEN.
https://docs.github.com/en/billing/managing-billing-for-github-packages/about-billing-for-github-packages#about-billing-for-github-packages

This design seems weird, if a company has lots of private packages published on GitHub, then the actions of the repo in same orgs, installing these packages will cost the data transfer and company have to pay it?

[helloint]

just let you know that it works on my side right now.
I spent half day testing the GITHUB_TOKEN on my own org with Free Plan and it just doesn't work.
Then the next day, I tried on the company org with Team Plan and it works!
At the moment I can't tell if this is about the Plan. When I have time I maybe can test and verify.

[ning-wang-bl]

I found one way, at least it works for me:
I have 2 private repos.
repo A publishes a docker image into ghcr.io, repo B uses the docker image for ci.
Billing plan is free.

repo A uses secrets.GITHUB_TOKEN to publish image, repo B uses secrets.GITHUB_TOKEN to pull docker image from repo A.

What I did:

1. in repo A, publish image with action by following:
   ref: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action

2. in Manage Actions access setting page of the package of repo A, pick repo B to have read access
   The url has the format:
   (for org user) https://github.com/orgs/${orgnization}/packages/container/${image}/settings
   or (private user) https://github.com/users/${username}/packages/container/${image}/settings

ref:
https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token

https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility

3. in repo B, set the credentials

ref: https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#defining-credentials-for-a-container-registry

hope this helps.

[muttli]

Solved it for me! Thank you! :-)

[leavesster]

I was able to download GitHub npm registry by actions/setup-node in same org different repo, hope it useful for you.

but I was unable to publish a npm package to GitHub npm registry.

name: Node.js Package

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
          registry-url: https://npm.pkg.github.com/
# write your github npm scope
          scope: '@example'
      - run: npm install
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[maluramichael]

I think this is only possible when both repos are private or both are public. In our case it does not work. I try to pull a package from a private github repo inside a public action and it fails.

- name: Configure node
  uses: actions/setup-node@v3
  with:
    node-version: 16.x
    cache: "npm"
    registry-url: "https://npm.pkg.github.com"
    scope: "@calliope-edu"
- run: npm ci
  env:
    NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: npm install --no-save @calliope-edu/calliope-theme

Run npm install --no-save @calliope-edu/calliope-theme
  
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://npm.pkg.github.com/@calliope-edu%2fcalliope-theme - Permission permission_denied: read_package
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

And the action permissions look like this. Which states Access is allowed only from private repositories.

[maluramichael]

I think i found the solution myself. I had to explicit add the other repo to the package permissions.

[merzavko]

I think i found the solution myself. I had to explicit add the other repo to the package permissions.

this solved an issue for me, thanks for sharing!

[leavesster]

I almost forget this discussion. After a few months I found the reason for github npm registry.
For those who is still suck with this, I hope these message will help you.

When you publish a npm package to github npm registry, The npm package in github npm registry has three access options:

1. public
2. private
3. internal

you can find these option explain in document

when publishing a private package, the default access is private which prevent other repo (we can call it repo A) GITHUB_TOKEN download this package.

You need change it to internal so that GITHUB_TOKEN in same org can download it without any future configuration. Or you can add this repo A to access Repo in package setting.