|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Install private npm GitHub Package in CI |
| 4 | +date: 2026-04-24 20:21:05 |
| 5 | +excerpt: How to install a private npm GitHub Package in GitHub Actions CI. |
| 6 | +categories: github package npm |
| 7 | +--- |
| 8 | + |
| 9 | +This post goes over how to install a private npm GitHub Package in GitHub Actions CI. |
| 10 | + |
| 11 | +## Problem |
| 12 | + |
| 13 | +You get an error when installing a private npm GitHub Package in GitHub Actions CI: |
| 14 | + |
| 15 | +``` |
| 16 | +Forbidden - 403 |
| 17 | +``` |
| 18 | + |
| 19 | +## Package settings |
| 20 | + |
| 21 | +Go to your package settings (repository > **Packages** > **Package settings**). |
| 22 | + |
| 23 | +If the package is owned by your organization: |
| 24 | + |
| 25 | +``` |
| 26 | +https://github.com/orgs/<my-user>/packages/npm/<my-package>/settings |
| 27 | +``` |
| 28 | + |
| 29 | +Or by your personal user account: |
| 30 | + |
| 31 | +``` |
| 32 | +https://github.com/users/<my-user>/packages/npm/<my-package>/settings |
| 33 | +``` |
| 34 | + |
| 35 | +**Manage Actions access** > **Add Repository**: |
| 36 | + |
| 37 | +- Pick the repositories that can access this package using GitHub Actions. |
| 38 | + |
| 39 | +## .npmrc |
| 40 | + |
| 41 | +Add the following to your `.npmrc`: |
| 42 | + |
| 43 | +``` |
| 44 | +//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN} |
| 45 | +@my-org:registry=https://npm.pkg.github.com |
| 46 | +``` |
| 47 | + |
| 48 | +## GitHub Actions |
| 49 | + |
| 50 | +Set the permission in your `.github/workflows/my-workflow.yml`: |
| 51 | + |
| 52 | +```yml |
| 53 | +permissions: |
| 54 | + packages: read |
| 55 | +``` |
| 56 | +
|
| 57 | +{% raw %} |
| 58 | +
|
| 59 | +Now you can install the package with `${{ github.token }}` or `${{ secrets.GITHUB_TOKEN }}`: |
| 60 | + |
| 61 | +```yml |
| 62 | +- name: Install dependencies |
| 63 | + shell: bash |
| 64 | + run: npm install |
| 65 | + env: |
| 66 | + GITHUB_TOKEN: ${{ github.token }} |
| 67 | +``` |
| 68 | + |
| 69 | +Or configure the auth token before install: |
| 70 | + |
| 71 | +```yml |
| 72 | +- name: Configure auth token |
| 73 | + shell: bash |
| 74 | + run: | |
| 75 | + sed -i '/\/\/npm\.pkg\.github\.com\/:_authToken/d' .npmrc |
| 76 | + npm config set '//npm.pkg.github.com/:_authToken' '${{ github.token }}' |
| 77 | +``` |
| 78 | + |
| 79 | +{% endraw %} |
| 80 | + |
| 81 | +## Classic PAT |
| 82 | + |
| 83 | +Alternatively, you can create a [personal access token (classic)](https://github.com/settings/tokens/new) with the scopes: |
| 84 | + |
| 85 | +- [x] `repo` (Full control of private repositories) |
| 86 | +- [x] `read:packages` (Download packages from GitHub Package Registry) |
| 87 | + |
| 88 | +Check if your token works: |
| 89 | + |
| 90 | +```sh |
| 91 | +GITHUB_TOKEN=ghp_*** pnpm view @my-org/my-package version |
| 92 | +``` |
| 93 | + |
| 94 | +If you get the error: |
| 95 | + |
| 96 | +``` |
| 97 | +403 Forbidden - GET https://npm.pkg.github.com/@my-org%2fmy-package - Permission permission_denied: `my-org` forbids access via a personal access token (classic). Please use a GitHub App, OAuth App, or a personal access token with fine-grained permissions. |
| 98 | +``` |
| 99 | + |
| 100 | +Then create a [fine-grained PAT](https://github.com/settings/personal-access-tokens/new) or app. |
0 commit comments