A private repository will be published as a private npm package. Perhaps the first step in making your package private is to make your package's repository private. To make your Github repository private, click on the Settings tab, scroll to the bottom and then click on Change repository visibility.
GitHub Pages is available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server.
It can be done via https and oauth or ssh.
https and oauth: create an access token that has "repo" scope and then use this syntax:
"package-name": "git+https://<github_token>:[email protected]/<user>/<repo>.git"
or
ssh: setup ssh and then use this syntax:
"package-name": "git+ssh://[email protected]:<user>/<repo>.git"
(note the use of colon instead of slash before user)
If someone is looking for another option for Git Lab and the options above do not work, then we have another option. For a local installation of Git Lab server, we have found that the approach, below, allows us to include the package dependency. We generated and use an access token to do so.
$ npm install --save-dev https://git.yourdomain.com/userOrGroup/gitLabProjectName/repository/archive.tar.gz?private_token=InsertYourAccessTokenHere
Of course, if one is using an access key this way, it should have a limited set of permissions.
Good luck!
With git there is a https format
https://github.com/equivalent/we_demand_serverless_ruby.git
This format accepts User + password
https://bot-user:[email protected]/equivalent/we_demand_serverless_ruby.git
So what you can do is create a new user that will be used just as a bot,
add only enough permissions that he can just read the repository you
want to load in NPM modules and just have that directly in your
packages.json
Github > Click on Profile > Settings > Developer settings > Personal access tokens > Generate new token
In Select Scopes part, check the on repo: Full control of private repositories
This is so that token can access private repos that user can see
Now create new group in your organization, add this user to the group and add only repositories that you expect to be pulled this way (READ ONLY permission !)
You need to be sure to push this config only to private repo
Then you can add this to your / packages.json (bot-user is name of user, xxxxxxxxx is the generated personal token)
// packages.json
{
// ....
"name_of_my_lib": "https://bot-user:[email protected]/ghuser/name_of_my_lib.git"
// ...
}
https://blog.eq8.eu/til/pull-git-private-repo-from-github-from-npm-modules-or-bundler.html
This method requires anyone who uses the package to authenticate with their own personal access token rather than a single group token, which allows the repo to be free of access tokens. You also don't need to create a new access token every time a user should no longer be granted access, instead, removing a user from the repo in GitHub will automatically remove their package access.
This is a condensed version of GitHub's NPM guide: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry
npm login --scope=@<USERNAME of repo owner in lowercase> --registry=https://npm.pkg.github.com
Username: <Your personal GitHub username>
Password: <Create a GitHub Access Token with your account and paste it here>
Email: <Email associated with the same account>
For example: where user @Bobby wants to publish github.com/Jessica/my-npm-package as an NPM package
npm login --scope=@jessica --registry=https://npm.pkg.github.com
Username: bobby
Password: yiueytiupoasdkjalgheoutpweoiru
Email: [email protected]
package.json
, following the format below. "name": "@jessica/my-npm-package",
"repository": "git://github.com/jessica/my-npm-package.git",
"publishConfig": {
"registry":"https://npm.pkg.github.com"
},
npm publish
npm install @jessica/my-npm-package
Done!
Keep reading if your project will have GitHub Actions scripts that need to install this private NPM package.
In a CI environment, you'll also need npm login
to similarly authenticate. Otherwise, npm install
will fail, since it doesn't have access to the private NPM package. One way to pre-configure this is to use a .npmrc
file; however, this commits auth credentials to the repo with that file. So, another way is to use the NPM tool npm-cli-login. There is a requirement that you either use your own personal access token (not optimal: you leave the repo, CI breaks), or set up a GitHub account specifically for CI and create an access token with that account.
npm install
:- name: Login to GitHub private NPM registry
env:
CI_ACCESS_TOKEN: ${{ secrets.NAME_OF_YOUR_ACCESS_TOKEN_SECRET }}
shell: bash
run: |
npm install -g npm-cli-login
npm-cli-login -u "USERNAME" -p "${CI_ACCESS_TOKEN}" -e "EMAIL" -r "https://npm.pkg.github.com" -s "@SCOPE"
Replace NAME_OF_YOUR_ACCESS_TOKEN_SECRET
, USERNAME
, EMAIL
and SCOPE
.
For example
- name: Login to GitHub private NPM registry
env:
CI_ACCESS_TOKEN: ${{ secrets.MY_TOKEN }}
shell: bash
run: |
npm install -g npm-cli-login
npm-cli-login -u "ci-github-account" -p "${CI_ACCESS_TOKEN}" -e "[email protected]" -r "https://npm.pkg.github.com" -s "@jessica"
Done!
Now when GitHub Actions later run npm install
, the script will have access to the private NPM package.
FYI: If you're familiar with GitHub Actions, you may ask why can't we use secrets.GITHUB_TOKEN
which GitHub automatically supplies? The reason is secrets.GITHUB_TOKEN
only has access to the repo that is running the GitHub Actions, it does not have access to the repo of the private NPM package.
I wasn't able to make the accepted answer work in a Docker container.
What worked for me was to set the Personal Access Token from GitHub in a file called .netrc
ARG GITHUB_READ_TOKEN
RUN echo -e "machine github.com\n login $GITHUB_READ_TOKEN" > ~/.netrc
RUN npm install --only=production --force \
&& npm cache clean --force
RUN rm ~/.netrc
in package.json
"my-lib": "github:username/repo",
Although this is an old question, adding an answer here which works across platforms.
The general npm v7 syntax to access private repositories in node_modules is -
git+https://<token_name>:<token>@<path_to_repository>.git#<commit>
You will have to create an access token with your git service provider with atleast read access.
Following are links for most popular platforms :
Do note github creates token linked to your username and there is no token name, thus, use your username instead of token_name for github.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With