Issue with npm install if the package comes from a different organization using github app token

[lloydsanchez1201]

Select Topic Area

Bug

Body

Hi, seeking some advise to how to resolve issue with permission/authentication when doing an npm install if the packages comes from a different organization. Here are the contexts:

FROM ORG 1

Source Package: npm package (internal)
Github App: allow the repository where the package is linked to with the following permission {"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}
Github App: Generated private key token

FROM ORG 2 [This is where the npm install should be performed]

Github Actions with corresponding secrets for the github app private token
From the github actions, we utilized third-party actions to create a token = GITHUB_TOKEN
Utilizing npmrc to authenticate with registry using the generated github token
And here goes npm install, but failed
Upon triggering the workflow, its gets us to this error:

npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library 384ms (cache skip)
npm http fetch GET 403 https://npm.pkg.github.com/@org%2fcomponents-library-vue 194ms (cache skip)
npm verbose stack HttpErrorGeneral: 403 Forbidden - GET https://npm.pkg.github.com/@org%2fcomponents-library-vue - Permission installation not allowed to Read organization package

QUESTIONS:
So not sure this time if github supports similar strategy? Or you guys have done it before? Would you mind sharing your thought?
Is there something that needs to be done inside ORG 2's settings?

NOTE: We are leaning away from using PAT.

[little-software-engineer]

Hello,

Here's what you can do:

Org 1 has an npm package stored on GitHub Package Registry.
Org 2 wants to install this package but faces authentication hurdles due to cross-organization permissions.

GitHub Actions Configuration:

Org 2's GitHub Actions are using the GITHUB_TOKEN for authentication, which typically has scoped permissions but might lack necessary permissions for cross-organization package access.

Potential Solutions
Verify GITHUB_TOKEN Scope:

GitHub Actions use a GITHUB_TOKEN that grants scoped permissions to the repository it runs in. This token might not have sufficient permissions to access packages in Org 1's repository.
Ensure that the GITHUB_TOKEN is indeed being passed correctly and has the read:packages scope.

Considerations for Cross-Organization Access:

GitHub's security model might restrict access to packages based on organization boundaries, especially if the repositories are not under the same organization or explicit permissions are not granted.
You mentioned avoiding Personal Access Tokens (PATs), but sometimes they are necessary for broader permissions.

Alternative Authentication Methods:

Using Service Account or Bot Account: Create a dedicated GitHub account with access to both Org 1 and Org 2 repositories. Use its Personal Access Token (PAT) with necessary scopes (read:packages) for authentication.
GitHub App Installation: Ensure the GitHub App installed in Org 2 has adequate permissions (write:packages or read:packages) across organizations. This might involve adjusting the GitHub App settings to allow package registry access.

Lastly, npm configuration files (~/.npmrc) might not be set up correctly or might be overridden by environment variables. Ensure that the registry entry in ~/.npmrc points to https://npm.pkg.github.com/ and that authentication is properly set up using the correct token or credentials.

registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=YOUR_GITHUB_TOKEN

[lloydsanchez1201]

Hi @little-software-engineer , I appreciate the detailed recommendations. Here are my response to the potential solutions that you are proposing:

Verify GITHUB_TOKEN Scope:
Actually, the installed github app in ORG 1 has, I think, more than enough permission: {"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}

Considerations for Cross-Organization Access:
Using PAT was the initial recommendation that the integration engineer has recommended from ORG 1. I actually even had no problem encountered when I tested my own PAT. The workflow was seamless.

Alternative Authentication Methods:
I actually have a step to set the .npmrc properly within the actions:

      - name: Authenticate to Registry
        run: |
          cat <<EOF > ~/.npmrc
          @org1:registry=https://npm.pkg.github.com
          //npm.pkg.github.com/:_authToken=${{ steps.get_workflow_token.outputs.token }}
          always-auth=true
          EOF

steps.get_workflow_token.outputs.token - This is generated from a third-party actions peter-murray/workflow-application-token-action@v3 with scoped permission {"actions":"write","administration":"read","attestations":"read","contents":"write","environments":"read","metadata":"read","packages":"write","secrets":"read"}

[little-software-engineer]

Maybe this will help you further:
GitHub Actions Authentication Setup

Ensure that the GITHUB_TOKEN in Org 2's GitHub Actions is set up with the necessary scopes.
If using the peter-murray/workflow-application-token-action, confirm that it is generating a token with the required scopes for accessing Org 1's package registry.

.npmrc Configuration:

Verify that the .npmrc file is correctly set up within the GitHub Actions workflow.
The .npmrc file should point to the correct registry and use the appropriate token for authentication.

`

  name: Install Package from Org 1

  on: [push]

 jobs:
 install-package:
runs-on: ubuntu-latest

steps:
  - name: Checkout Code
    uses: actions/checkout@v2

  - name: Get Workflow Token
    id: get_workflow_token
    uses: peter-murray/workflow-application-token-action@v3
    with:
      app_id: ${{ secrets.GITHUB_APP_ID }}
      private_key: ${{ secrets.GITHUB_PRIVATE_KEY }}
      installation_id: ${{ secrets.GITHUB_INSTALLATION_ID }}
      permissions: |
        actions: write
        administration: read
        attestations: read
        contents: write
        environments: read
        metadata: read
        packages: write
        secrets: read

  - name: Authenticate to Registry
    run: |
      cat <<EOF > ~/.npmrc
      @org1:registry=https://npm.pkg.github.com
      //npm.pkg.github.com/:_authToken=${{ steps.get_workflow_token.outputs.token }}
      always-auth=true
      EOF

  - name: Install Package
    run: npm install @org1/package-name

`
If the issue persists, consider the following:

Explicit Permissions: Double-check that Org 1's repository settings explicitly allow access from Org 2's GitHub Actions.
Cross-Organization Policies: Ensure that no organization-level policies are blocking access.
Direct Support: Reach out to GitHub support for assistance with cross-organization authentication issues, as there might be specific nuances or configurations required.