Solvedsetup node publishing to npm fails after publishing to GPR

I have a workflow like this that's supposed to publish to npm once I publish to GPR:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I have the npm_token secret added to this repository.

When I just published to GPR, it kicked off this workflow job, but it failed at the last step of publishing to npm. The error was from npm saying:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

What does this error mean, and how do I fix it? I don't see anything about setting "basic realm" in the recipes for this setup-node action.

37 Answers

✔️Accepted Answer

@pqt Just to be clear: You’re talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because I’ve got that working from within GitHub Actions, with this .npmrc

registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

In the workflow config, I don’t use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).

Is that what you’re trying to accomplish or am I totally misunderstanding you?

PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.

Other Answers:

I also had the same issue, and fixed by creating ~/.npmrc like:

- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publish

Hi all - here is a workflow that publishes to both NPMJS and GPR, without needing .npmrc workarounds:

Just replace <@OWNER> with appropriate scope (eg for me it would be @affrae), and use your version of npm_token

Is working at https://github.com/affrae/fib-tools

name: Publish to NPMJS and GPR

on:
  push:
    branches:
      - master

jobs:
  publish-to-npm-and-gpr:
    runs-on: ubuntu-latest
    steps:
      
      # Checkout the repo
      - uses: actions/checkout@master
        
      # Update package version and set up git
      - uses: actions/setup-node@master
      - name: Update package version and setup git
        run: |
          git config user.name "Actions User"
          git config user.email noreply@github.com
          npm version 1.0.$(date +%s)

      # Publish to NPMJS
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: 'https://registry.npmjs.org/'
      - name: Publish to NPMJS
        run: |
          npm config set //registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN
          npm config set scope "<@OWNER>"
          npm config list
          npm publish --access public 
        env:
          CI: true
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

      # Publish to GitHub Package Registry
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: https://npm.pkg.github.com/
          scope: '<@OWNER>'
      - name: Publish to GitHub Package Registry
        run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{github.token}}

Publishing to GPR from Actions (what @pqt seems to be doing) and publishing to NPM from Actions (which, in my case, is triggered after first publishing to GPR) are separate topics.

However, they both seem to have the same symptom, which is that the Action doesn't seem to apply the correct credentials for the publishing (from npm secrets), and/or Actions is not properly using the "registry" setting from the Action. In some cases you can "hack" around this problem by just forcing your own .npmrc, but that's both a hack and runs contrary to the published documentation for this Action, so it shouldn't be "the solution".

In my case, since my project already has a npmrc in it, to redirect the initial publish to GPR in the first place, I do not think it's a suitable solution to somehow hack or override that npmrc during the Action to then redirect to npm.

This is a blocker for me to using Github Actions. I would really appreciate some more info on it.