How to "npm install" private packages without token?

[msageryd]

Why are you starting this discussion?

Question

What GitHub Actions topic or product is this about?

Workflow Configuration

Discussion Details

I have now migrated my workflows to GH Actions and OIDC for all of my internal private packages. But I cannot grasp how to "npm install" without using an actual token. The whole point of migrating was to get rid of the token rotation maintenance-hell. I got rid of it for publishing, but it seems as I'm stuck with tokens for npm install, i.e. good old .npmrc but with the added rotation burden.

Did I miss something?

[4syr]

Response to Issue #181148

How to "npm install" private packages without token?

---

Hi there,

Great question! I understand your frustration with token rotation after migrating to OIDC. Let me clarify the current situation and provide some solutions.

Understanding the Current Limitation

You're correct that while OIDC works great for publishing packages, installing private npm packages still requires authentication. However, there are ways to minimize the token rotation burden.

Solution Options

Option 1: Use GitHub Actions GITHUB_TOKEN (Recommended)

If your private packages are hosted on GitHub Package Registry, you can use the built-in GITHUB_TOKEN:

- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: '20'
    registry-url: 'https://npm.pkg.github.com'
    scope: '@your-org'

- name: Install dependencies
  run: npm install
  env:
    NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Benefits:

• No token rotation needed
• Automatically provided by GitHub Actions
• Scoped to the workflow run

Option 2: Use npm Granular Access Tokens (for npm Registry)

If you're using the official npm registry, you can use granular access tokens with longer expiration:

- name: Setup .npmrc
  run: |
    echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

- name: Install dependencies
  run: npm install

Note: While this still requires a token, granular tokens are more secure and can be scoped to specific packages.

Option 3: GitHub App Authentication (Advanced)

For enterprise setups, you can create a GitHub App that generates short-lived tokens:

- name: Generate token
  id: generate_token
  uses: actions/create-github-app-token@v1
  with:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Install dependencies
  run: npm install
  env:
    NODE_AUTH_TOKEN: ${{ steps.generate_token.outputs.token }}

Key Points to Remember

• OIDC is primarily for publishing/pushing to registries that support it
• Installing packages still requires authentication (token or credentials)
• GitHub Package Registry with GITHUB_TOKEN is the most seamless solution for private packages in GitHub Actions
• If using npm registry, token rotation is still necessary for security

Did You Miss Something?

No, you didn't miss anything! The authentication requirement for npm install is by design for security. The key is choosing the right authentication method for your registry:

• GitHub Packages → Use GITHUB_TOKEN (no rotation)
• npm Registry → Use granular tokens (less frequent rotation)
• Private Registry → Check if your registry supports OIDC for consumption

Additional Resources

• [GitHub Actions - Publishing Node.js packages](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages)
• [GitHub Packages - Working with npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)
• [npm - About access tokens](https://docs.npmjs.com/about-access-tokens)

---

Hope this clarifies the situation! Let me know if you need help implementing any of these solutions.

Best regards,
Asyrafi

[thomaslagies]

There is still the problem if you try to install another npm package within the workflow run.
Let's say you built a service that has 3 private node modules. You can't install them without a PAT.

Neither the $GITHUB_TOKEN nor the GitHub App is able to install it.

I don't know why you are able to provide Packages - read/write to the GitHub App and it is still not able to install packages
from your very own ghcr.io package registry