The Problem
I am currently working on a monorepo setup which also includes a package used by other repositories in the (private) GitHub organization. We wanted to use the GITHUB_TOKEN in order to authenticate to the GitHub Packages and update / publish the package-
The GitHub docs propose that it is only possible to authenticate with a personal access token. This was not a solution for us.
Our solution to make it work with the GITHUB_TOKEN
name: <your-name>
on: push
jobs:
build:
name: <your-job-name>
runs-on: <your-runtime-environment e.g. ubuntu-latest>
permissions:
contents: read
packages: write # Allowing job permissions so that a package can actually be published
steps:
- uses: actions/checkout@v3 # An action to checkout the needed repository
- uses: actions/setup-node@v4 # An action to set up the node environment in the CD
with:
node-version: "<your-desired-node-version>"
registry-url: "https://npm.pkg.github.com" # No need to add the auhToken or oganization name in the end
# GitHub will handle that for you
# Defaults to the user or organization that owns the workflow file
scope: "@<name-of-your-org>"
- name: <your-name>
run: npm install # or yarn install, depends on your setup
- name: <your-name>
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}