Cant execute npm install if the package comes from a different organization using github app token

[lloydsanchez1201]

Select Topic Area

Question

Body

Hi, seeking some advise to how to resolve issue with permission/authentication when doing an npm install if the packages comes from a different organization. Here are the contexts:

FROM ORG 1

• Source Package: npm package (internal)
• Github App: allow the repository where the package is linked to with the following permission {"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}
• Github App: Generated private key token

FROM ORG 2 [This is where the npm install should be performed]

• Github Actions with corresponding secrets for the github app private token
• From the github actions, we utilized third-party actions to create a token = GITHUB_TOKEN
• Utilizing npmrc to authenticate with registry using the generated github token
• And here goes npm install, but failed

Upon triggering the workflow, its gets us to this error:

npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library 384ms (cache skip)
npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library-vue 194ms (cache skip)
npm verbose stack HttpErrorGeneral: 403 Forbidden - GET https://npm.pkg.github.com/@org%2fcomponents-library-vue - Permission installation not allowed to Read organization package

QUESTIONS:
So not sure this time if github supports similar strategy? Or you guys have done it before? Would you mind sharing your thought?
Is there something that needs to be done inside ORG 2's settings?

NOTE: We are leaning away from using PAT.

[qoomon]

Maybe my project could solve your use case, have a look at https://github.com/qoomon/actions--access-token

[lloydsanchez1201]

hmm we've been using this actually https://github.com/peter-murray/workflow-application-token-action.

[qoomon]

This is basically the same approach, however the private key of the GitHub app is never accessible by any GitHub actions run. Therefore you don't need to share a secret across multiple repositories or create an an GitHub app for everyone repository. With my approach you also have way more fine-grained access control options.