Use private NPM packages in your GitHub actions

private-npm-in-gh-actions.md

1 NPM_TOKEN

Add an NPM_TOKEN secret on GitHub. Get your secret key from the NPM dashboard.

2 Add a step to your action

- name: Authenticate with private NPM package
  run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

A full example might look like:

name: Install cached packages
jobs:
  install-with-cache:
    name: Create new build on EAS
    runs-on: ubuntu-latest
    steps:
      - name: Setup repo
        uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: 14.x
      - name: Find yarn cache
        id: yarn-cache-path
        run: echo "::set-output name=dir::$(yarn cache dir)"
      - name: Restore cache
        uses: actions/cache@v2
        with:
          path: ${{ steps.yarn-cache-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-
      - name: Authenticate with private NPM package
        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
      - name: Install dependencies
        run: yarn install --frozen-lockfile --check-files 

I was having issues with private repos for a few weeks now. Something must have changed in the way the workers are set up.

for me this line didn't work anymore:
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

instead I had to change it to the absolute path that I only saw by accident because somehow the action printed it in the logs:
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > /home/runner/work/_temp/.npmrc

If someone knows why this changed or maybe why it only changed for us please let me know.
Hope this helps someone out there.

@Emmanuerl you can get this NPM_TOKEN from the npm registry you are using for your private package. We host ours on Github packages and get this token in the developer settings by creating a classic access token with read right to packages. Writing it to the .npmrc file is equal to logging in via npm login on the console but without the need for interactivity.

I was having issues with private repos for a few weeks now. Something must have changed in the way the workers are set up.

for me this line didn't work anymore: run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

instead I had to change it to the absolute path that I only saw by accident because somehow the action printed it in the logs: run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > /home/runner/work/_temp/.npmrc

If someone knows why this changed or maybe why it only changed for us please let me know. Hope this helps someone out there.

@Emmanuerl you can get this NPM_TOKEN from the npm registry you are using for your private package. We host ours on Github packages and get this token in the developer settings by creating a classic access token with read right to packages. Writing it to the .npmrc file is equal to logging in via npm login on the console but without the need for interactivity.

Thank you! I figured it out already and forgot to update this thread but i'm glad we now have a public reference!

You probably want to say echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc to write to this project's npmrc, or just set ${{ secrets.NPM_TOKEN }} as whatever .env you use in the comitted file.

this is the way we have done it for years but suddenly it stopped working. The solution I posted above worked for me in the end. Maybe there is (or was) a symlink to .npmrc missing or something in the GitHub runners. In any case, I needed to change the path to the specific absolute path in order for it to work.

Adding this to my action.yml worked like a charm. Thank you very much :)
- name: Authenticate with private NPM package
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc