Categories:

Publishing private NPM packages via GitHub

When using the NPM package, there are certain conditions where we need to install the NPM package that is private and only specific to our use case. This package is tagged as private which is not installed by the public user except our own entity.

We can create a package and test it as private. We can follow the following step.

The first step is to Publish the Package to Github

Create a file release-package.yml inside .github/workflows folder.

.github/workflows/release-package.yml

A sample file as

name: Node.js Package relase

on:
  release:
    types: [created]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - run: npm ci

  publish-gpr:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
          registry-url: https://npm.pkg.github.com/
      - run: npm ci
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

${{secrets.GITHUB_TOKEN}} – This should be generated from the GitHub token generator. https://github.com/settings/tokens

We can add an npm test if needed as – run: npm test

Just commit the changes to the package and push it to our private repo.

The work on the package is done. The publishing package is now private.

Now we need to add the private package to our project. Create .npmrc file

Inside npmrc file, the content will be like this

# In case of scripbox packages, scope is going to be scripbox
@<scope>:registry = https://npm.pkg.github.com

_authToken = <AUTH_TOKEN>
always-auth = true

<scope> should be the repo owner label

<AUTH_TOKEN> should be generated from https://github.com/settings/tokens with proper permission.

Now just need to add the private package which will be an authorized repo, as

yarn add @xyz/xyz-abc@1.0.0

The version number will be fetched from the publish package as a tag.

Now we are using the private package, in our project which won’t be accessed by the public.

Ref: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#installing-a-package