Issue with npm install if the package comes from a different organization using github app token #129339
Replies: 1 comment 2 replies
-
Hello, Here's what you can do: Org 1 has an npm package stored on GitHub Package Registry. GitHub Actions Configuration: Org 2's GitHub Actions are using the GITHUB_TOKEN for authentication, which typically has scoped permissions but might lack necessary permissions for cross-organization package access. Potential Solutions GitHub Actions use a GITHUB_TOKEN that grants scoped permissions to the repository it runs in. This token might not have sufficient permissions to access packages in Org 1's repository. Considerations for Cross-Organization Access: GitHub's security model might restrict access to packages based on organization boundaries, especially if the repositories are not under the same organization or explicit permissions are not granted. Alternative Authentication Methods: Using Service Account or Bot Account: Create a dedicated GitHub account with access to both Org 1 and Org 2 repositories. Use its Personal Access Token (PAT) with necessary scopes (read:packages) for authentication. Lastly, npm configuration files (~/.npmrc) might not be set up correctly or might be overridden by environment variables. Ensure that the registry entry in ~/.npmrc points to https://npm.pkg.github.com/ and that authentication is properly set up using the correct token or credentials.
|
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Bug
Body
Hi, seeking some advise to how to resolve issue with permission/authentication when doing an npm install if the packages comes from a different organization. Here are the contexts:
FROM ORG 1
Source Package: npm package (internal)
Github App: allow the repository where the package is linked to with the following permission
{"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}
Github App: Generated private key token
FROM ORG 2 [This is where the npm install should be performed]
Github Actions with corresponding secrets for the github app private token
From the github actions, we utilized third-party actions to create a token = GITHUB_TOKEN
Utilizing npmrc to authenticate with registry using the generated github token
And here goes npm install, but failed
Upon triggering the workflow, its gets us to this error:
QUESTIONS:
So not sure this time if github supports similar strategy? Or you guys have done it before? Would you mind sharing your thought?
Is there something that needs to be done inside ORG 2's settings?
NOTE: We are leaning away from using PAT.
Beta Was this translation helpful? Give feedback.
All reactions