can GITHUB_TOKEN used to publish npm package to GitHub npm registry ?

[leavesster]

Select Topic Area

Question

Body

I was trying to publish a npm package to GitHub npm registry and here is my github action yaml:

jobs:
  publish-gpr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 18
          registry-url: https://npm.pkg.github.com/
          # this is my org place holder , I've change the example to my real org
          scope: '@EXAMPLE'
      - name: Install pnpm
        uses: pnpm/action-setup@v2
        with:
          version: 8
          run_install: false
      - run: -|
          pnpm install
          pnpm build
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

it report error:

npm notice Publishing to https://npm.pkg.github.com/ with tag latest and default access
npm ERR! code E403
# this example is also a replace for this discussion
npm ERR! 403 403 Forbidden - PUT https://npm.pkg.github.com/@example%2ftest - Permission permission_denied: write_package
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

but I've already give write package permission for this job.

If I only change the GITHUB_TOKEN to my personal token , this workflow will publish success.

I've read the docs Publishing and installing a package with GitHub Actions.

I'm not sure if repository-scoped permissions are required when publishing a package. However, I noticed that the container registry does not support repository-scoped permissions, but can still publishing-a-package-using-an-action by GITHUB_TOKEN

[leavesster]

I have finally identified the issue. I published the package without specifying the repository field, which caused GitHub to disconnect this package from my source code repository. Therefore, I must link the package to the source repository manually. Additionally, when establishing this connection on my own, it is imperative to manage Action access; this entails granting action access to the source repository and enabling the option to inherit access from the source repository, which is recommended. Once I enable these two permissions, I will be able to publish the npm package to the GitHub npm registry using the GitHub Actions workflow that includes the "GITHUB_TOKEN."

[iMerica]

This is incoherent

[rae-mpl]

I had to go into the settings for the package and add Github actions permissions for the repo containing my workflow runner to have correct access:

https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#selecting-whether-a-package-inherits-permissions-from-a-repository

[codeinearts]

For others having a similar issue, you might experience this problem as a by product of a repository organization migration, which does not address the fact that packages could still tied to the previous org.

If this is your case:

• delete the previous packages lingering in the previous organization
• adjust permissions in the workflow files packages: write under jobs definition
• add GITHUB_TOKEN where needed
• config permissions on the organization and/or repositories settings
• create manually the packages in the new org (e.g. using a personal token)
• then in the package settings:
  • associate the respective packages to the repository in the new org
  • since the repositories were linked to the packages of the previous org, we must manually reassign them to the newly created packages in the new organization
  • adjust the actions permissions (same settings menu) so repository Github bot can write to it
• only then CI can work correctly without issues

In case the repo is a greenfield setup, GITHUB_TOKEN has the ability to create and link the created packages automatically without much fuzz.