Solvedsetup node Installing npm dependency from public GitHub repository fails

In one of my projects I use simple-caldav which contains the following line in its package.json:

dependencies: {
  "ical.js": "github:TimDaub/ical.js#feat/detect-module-mode-build",

It points to a branch here. I've submitted a PR to the upstream repo, but it seems they're not having much time for maintenance.

Anyways, my GH action in the project that has simple-caldav as a dependency looks like this

# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
# For more information see:

name: Node.js CI

    branches: [ master ]
    branches: [ master ]


    runs-on: ubuntu-latest

        node-version: [10.x, 12.x, 14.x]

    - uses: actions/checkout@v2
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v1
        node-version: ${{ matrix.node-version }}
    - run: npm ci
    - run: npm test

However, when it runs npm ci, it fails like this

npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh://
npm ERR! 
npm ERR! Warning: Permanently added the RSA host key for IP address '' to the list of known hosts.
npm ERR! Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
npm ERR! 
npm ERR! exited with error code: 128
19 Answers

✔️Accepted Answer

I fixed this in my workflows by adding an extra step after the actions/checkout@v2 (with persist-credentials: false) step:

      - name: Checkout
        uses: actions/checkout@v2
          persist-credentials: false

      - name: Reconfigure git to use HTTP authentication
        run: >
          git config --global url."".insteadOf

Changing from SSH to HTTP makes everything work across all workflows using npm ci (which has several benefits over npm install). If you need to authenticate, use a PAT instead of SSH:

git config --global url."https://${{ secrets.GH_TOKEN }}".insteadOf ssh://

Other Answers:

What ended up fixing it for me is adding the unknown host in my ssh config before npm ci:

- run: mkdir -p $HOME/.ssh/ && echo "" >> $HOME/.ssh/known_hosts
- run: npm ci

It's far from perfect, but works well as a work around for now. Additionally, disabling ssh's key checking via config may be an option too. I prefer to go with this more narrow solution.

Edit: Turns out this won't work all the time as the IPs that the package is requested from change

  • 140.82.113.*
  • 140.82.112.*
  • 140.82.114.*

I've tested adding ranges and ssh-keyscan, but so far I wasn't successful.


I think I finally ended up solving it for good. This is what you'll have to do:

  1. Backup your current RSA keypair at ~/.ssh
  2. Generate a new RSA keypair on your system ssh-keygen -t rsa -C "". Ideally don't overwrite your existing keypair at ~/.ssh by entering a custom path.
  3. Take the contents of the generated *.pub key and add it to your SSH keys in your GitHub account settings
  4. In your repo that has the action, navigate to Settings > Secrets and add SSH_PRIVATE_KEY the contents of the private key file that was generated
  5. Then in your repo's workflow file, add the following before -run: npm ci
- uses: webfactory/ssh-agent@v0.4.1
     ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- run: npm ci

For more details, check

This is still an issue... An alternative solution is replacing the resolved url in the package lock file, for example:
git+ssh:// becomes: git+

For me this issue started occurring when I tried to switch from npm install to npm ci so for some of you switching to npm install may be another workaround.