Installing privately-published package without PAT

[markthethomas]

Hi there!
Working on a research spike focused on getting my org set up with Github Packages. We make extensive use of repos (lol), but more recently have been wanting the ability to control what's published more granularly so teams can work with things like monorepos, etc.

So here's my scenario:

• I currently have an action that works and successfully publishes a package to GH's registry (see action yml below)
• shows up properly in the UI and gets versioned properly - huzzah! 🎉
• however... when installing locally things are failing. I've properly set up my .npmrc and such to point to the GH registry.
• looking not to have to use personal access tokens (PATs) for install, since this would involve generating these for every engineer and isn't tenable from a security / scalability POV

my main question: how can I set us up so that we can leverage private packages without having to have every single engineer generate a PAT?

I looked at pulling the token from gh auth status -t (the github CLI), but that yielded the following:

Permission permission_denied: The token provided does not match expected scopes.

Any help would be hugely appreciated! The possibility of automating some release process while giving our teams better tools to slice/dice what gets published for internal tools is very enticing 👍 😄

My files:

.npmrc:

@my-org:registry=https://npm.pkg.github.com

the action:

name: Release Versioned Internal Library

on:
    push:
        branches:
            - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
    build:
        name: Build
        runs-on: ubuntu-latest
        steps:
            - name: Checkout Repo
              uses: actions/checkout@v2
            - uses: actions/setup-node@v3
              with:
                  node-version: "16.x"
                  registry-url: "https://npm.pkg.github.com"
            - name: Cache dependencies
              uses: actions/cache@v2
              with:
                  path: ~/.npm
                  key: npm-${{ hashFiles('package-lock.json') }}
                  restore-keys: npm-
            - name: Install Dependencies
              run: npm ci
            - name: Run Tests
              run: npm test
            - name: Create Release Pull Request or Publish to GH Packages
              id: changesets
              uses: changesets/action@v1
              with:
                  publish: npm run release
              env:
                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[dgholz]

how can I set us up so that we can leverage private packages without having to have every single engineer generate a PAT?

You can't if you directly use GitHub Packages: you have to authenticate with a PAT to the language-specific package registry.

Your only alternative would be to internally host an unauthenticated mirror (run an artifact server like Artifactory, or an internal unauthenticated NPM server) and configure it to proxy onto GitHub Packages. That's what we used to do, and we've improved our setup tooling and instructions to make it easy for devs to manage their PATs.