Logging in to MyGet for GitHub Actions to install Private package

Question

I'm trying to set up a GitHub Actions workflow that will run the tests for a project when a PR is created. Here's the YAML for the action; it's pretty straight forward really.

steps:
    - uses: actions/checkout@v1

    - name: Use Node.js
      uses: actions/setup-node@v1
      with:
        node-version: ${{ matrix.node-version }}
        registry-url: https://www.myget.org/F/hsa/npm/
        scope: '@hsa'
      env:
        NODE_AUTH_TOKEN: ${{ secrets.MYGET_TOKEN }}

    - name: set always auth
      run: |
        npm config set always-auth true

    - name: Install
      run: |
        npm install

    - name: Run lint
      shell: bash
      run: |
        if [[ $GITHUB_BASE_REF ]]
        then
            export NX_BASE=remotes/origin/$GITHUB_BASE_REF
        else
            export NX_BASE=$(git rev-parse HEAD~1)
        fi
        echo "Base => $NX_BASE"
        npm run affected:test -- --base=$NX_BASE

The "Use Node.js" step sets the registry URL for the @hsa scope; the MYGET_TOKEN is set using secrets for the repo. The "set always auth" step was necessary because it wasn't done automatically. This seems like it should be enough to allow the action to install the private packages, but it doesn't work. This is the error I get on the "Install" step:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="MyGet - hsa"

I've output the temporary .npmrc file that's created in the Action, and it does look correct, setting the registry for the given scope, so everything should work. But I can't get past the NPM Install step to actually run the tests.

Any help on what I'm missing for the authentication would be greatly appreciated. Thanks!

Answer 1

From https://github.com/actions/setup-node/

steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
  with:
    node-version: '10.x'
    registry-url: 'https://registry.npmjs.org'
# Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN.
- run: npm install --ignore-scripts
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# `npm rebuild` will run all those post-install scripts for us.
- run: npm rebuild && npm run prepare --if-present

Try to use the npm install inside of the actions/setup-node.

Answer 2

This is the workflow configuration file I ended up using that get the private package installed:

name: Nx Affected CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  build:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [12.x]

    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - run: git fetch origin master
      - run: cp npmrc_file .npmrc
      - name: npm install
        run: npm install
        env:
          NPM_TOKEN: ${{ secrets.MYGET_TOKEN }}
      - run: rm .npmrc
      - run: npm run affected:test --base=origin/master

The npmrc_file should look like this:

@hsa:registry=https://www.myget.org/path/to/repository
always-auth=true
//www.myget.org/path/to/repository/:_authToken=${NPM_TOKEN}

I copied it into the workflow, installed the private package, and then removed it, as it caused issues with the NPM_TOKEN when trying to run the npm run command.

Also, MYGET_TOKEN is stored in the secrets section of the repository settings.