Add documentation for GET of private NPM packages

[ghost]

Getting a 404 error when trying to fetch a private NPM package. The NPM_TOKEN is included and used as a secret. Locally I also have this problem sometimes but the issue is resolved by doing a npm login.

workflow:

name: Node CI

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@master
    - name: Use Node.js v10.x
      uses: actions/setup-node@v1
      with:
        version: 10.x
    - name: npm install, build, and test
      env:
        NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
      run: |
        npm install
        npm run build --if-present
        npm test

[damccorm]

I don't see any npm docs saying NPM_AUTH_TOKEN is supported. With that said, you can configure auth with this action. There are examples in the README, but in this case you would want:

name: Node CI

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@master
    - name: Use Node.js v10.x
      uses: actions/setup-node@v1
      with:
        version: 10.x
        registry: 'https://registry.npmjs.org'
    - name: npm install, build, and test
      env:
        NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
      run: |
        npm install
        npm run build --if-present
        npm test

Note the added registry parameter for the action and the change of the env var name to NODE_AUTH_TOKEN.

Without a registry parameter we don't configure auth by default.

[ghost]

Thank you, noticed the mistake on the environment variable after posting this issue.
Even with the registry added it wouldn't show an error on this. But glad it's working now. Sorry if I created an unnecessary for this.

[damccorm]

No worries, happy to help! I wish we could have better errors for typos like this, but unfortunately since the issue is on the npm step there's not much we can do. Glad you're unblocked! I'm going to close, please comment if it should stay open!

[jwalton]

I don't see any npm docs saying NPM_AUTH_TOKEN is supported

That's because NPM doesn't support NPM_AUTH_TOKEN. This is an invention of this repo:

setup-node/src/authutil.ts

Line 41 in 78148da

registryUrl.replace(/(^\w+:|^)/, '') + ':_authToken=${NODE_AUTH_TOKEN}';

Essentially if you specify a registry, actions/setup-node will write a .npmrc file that looks like:

//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}

And then npm will replace this variable at runtime. This technique is discussed in this blog post. It's too bad actions/setup-node doesn't use NPM_TOKEN, instead though, as this is the token name in that blog article, and also the token name required by e.g. semantic-release. It's also too bad you can't just specify the token as an input. :P

[damccorm]

It's also too bad you can't just specify the token as an input.

The issue here is that inputs only live for the duration of the action. So we would need to write the token directly to the .npmrc which is unsafe for security reasons.

That's because NPM doesn't support NPM_AUTH_TOKEN

Its worth noting that the variable we use is actually NODE_AUTH_TOKEN - we chose this to avoid confusion with the npmjs registry.

It's too bad actions/setup-node doesn't use NPM_TOKEN

I hadn't seen this used commonly before - it would be tough for us to change at this point though since people have already attached to NODE_AUTH_TOKEN so it would be breaking to change that 😞

[jwalton]

security reasons

Yeah, I guessed it was something along those lines. :)

As for breaking changes... I wonder how NPM is doing the variable substitution and if we could do something fancy so if either NPM_TOKEN or NODE_AUTH_TOKEN is defined it will still work? Right now I have to set them both to keep semantic-releae happy. I suppose this is kind of a first world problem. :P

[jwalton]

Or, we could add a envKey input to setup-node which defaults to "NODE_AUTH_TOKEN" and then as an end user you could make the variable whatever you wanted!

And, of course, you can always do:

      - name: npm install
        if: success()
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > .npmrc
          npm install

🙃