401 Unauthorized trying to install cross-repo internal organisation package

[radahh-rest]

Select Topic Area

Question

Body

Can anyone assist me working out where I've gone wrong here? I'm trying to install an internal package, but always get 401 Unauthorized . I've read all the doco and so far as I can see everything is set up correctly. We are a cloud enterprise organisation.

Issue Summary

401 Unauthorized trying to install cross-repo internal organisation package

1. In repo aws-cdk-deploy I have an action that publishes a package.
2. In repo skeleton-node-ts I have a devDependency on the package.
3. Both repos are internal, in the same organisation and have the same team permissions.
4. The organisation is set for packages to inherit permissions of the repo.
5. I have given the dependent (installing) repo read access through the 'Manage Actions Access' configuration.
6. I have a committed .npmrc file that set up the registry.
7. Workstation installs with classic PATs work.
8. The dependent package actions appear to be configured correctly, with defaults.
9. Logging the config seems to indicate that the default token is being used, which I assume would be the GITHUB_TOKEN.
10. After multiple variations of action configuration, I cannot find a way to authorise the action to install the package.

• I've tried overriding the NODE_AUTH_TOKEN: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
• Setting the auth through npm_config environment variables: npm_config_//npm.pkg.github.com/:_authToken: ${{ secrets.GITHUB_TOKEN }}
• Using npm rather than pnpm as there was an earlier bug w.r.t env substitution now fixed.
• Everything seems good. The only suspiciions thing I can see is in the pnpm config list where the registry setting is https://github.com/RestSuper:registry=https://npm.pkg.github.com/ rather than @RestSuper:registry=https://npm.pkg.github.com/, but the response is 401 so it seems to resolve OK?

Context

Published package (details taken from package overview):

repository = "https://github.com/RestSuper/aws-cdk-deploy"

Dependant repo:

.npmrc:

registry=https://registry.npmjs.org
@restsuper:registry=https://npm.pkg.github.com/

package.json (snip)

  "devDependencies": {
    "@restsuper/aws-cdk-deploy": "^1.4.8",

Build job:

name: Build
run-name: '${{github.event.pull_request.title}} (#${{github.event.pull_request.number}})'

on:
  pull_request:

env:
  CI: true

defaults:
  run:
    working-directory: ./
    shell: bash
    
jobs:

  build:
    timeout-minutes: 10
    runs-on:
      group: 8-core

    permissions:
      contents: write
      pull-requests: write
      packages: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup-node

      - run: |
          pnpm config list >> $GITHUB_STEP_SUMMARY

      - name: Installing
        run: pnpm install --ignore-scripts

setup-node action

name: Setup
description: Setup
runs:
  using: composite
  steps:
    - name: Install package manager
      uses: pnpm/action-setup@v2

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version-file: .nvmrc
        cache: pnpm
        registry-url: https://npm.pkg.github.com
        scope: '@restsuper'

pnpm config output from build step:

//npm.pkg.github.com/:_authToken=XXXXX-XXXXX-XXXXX-XXXXX
https://github.com/RestSuper:registry=https://npm.pkg.github.com/
always-auth=false
registry=https://registry.npmjs.org/
user-agent=pnpm/8.14.1 npm/? node/v20.10.0 linux x64
userconfig=/home/runner/work/_temp/.npmrc

Result

Action log:

Run pnpm install --ignore-scripts
  pnpm install --ignore-scripts
  shell: /usr/bin/sh -e {0}
  env:
    CI: true
    PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin
    NPM_CONFIG_USERCONFIG: /home/runner/work/_temp/.npmrc
    NODE_AUTH_TOKEN: XXXXX-XXXXX-XXXXX-XXXXX
Lockfile is up to date, resolution step is skipped
Progress: resolved 1, reused 0, downloaded 0, added 0
Packages: +44[2](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:2)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Progress: resolved 442, reused 0, downloaded 150, added 146
 ERR_PNPM_FETCH_401  GET https://npm.pkg.github.com/download/@RestSuper/aws-cdk-deploy/1.4.8/c6[3](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:3)551f25d6b298e[4](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:4)d997198[5](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:5)32dddbbf[7](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:7)c[9](https://github.com/RestSuper/skeleton-node-ts/actions/runs/7494531860/job/20402673204#step:5:10)4c1f: Unauthorized - 401

An authorization header was used: ***

These authorization settings were found:
//npm.pkg.github.com/:_authToken=XXXX[hidden]
@restsuper:registry=https://npm.pkg.github.com/
Error: Process completed with exit code 1.

[radahh-rest]

(replying to my own post)

Is this statement on page https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry relevant? It seems to imply that a GitHub action requires a configured secret user-based PAT to function?

To authenticate to a GitHub Packages registry within a GitHub Actions workflow, you can use:
GITHUB_TOKEN to publish packages associated with the workflow repository.
a personal access token (classic) with at least read:packages scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).

But it mentions 'private' repos, and ours is internal.

And the next section contradicts?

Authenticating in a GitHub Actions workflow
This registry supports granular permissions. For registries that support granular permissions, if your GitHub Actions workflow is using a personal access token to authenticate to a registry, we highly recommend you update your workflow to use the GITHUB_TOKEN.

[radahh-rest]

[SOLVED]
Even though the workflow logs show the NODE_AUTH_TOKEN, it needs to be explicitly set:

      - name: Installing
        # Skip post-install scripts here, as a malicious script could steal the auth token.
        run: pnpm install --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

So simple, but took so long to isolate!

[113ll3]

[113ll3]

[SOLVED] Even though the workflow logs show the NODE_AUTH_TOKEN, it needs to be explicitly set:

      - name: Installing
        # Skip post-install scripts here, as a malicious script could steal the auth token.
        run: pnpm install --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

So simple, but took so long to isolate!