見出し画像

Publishing private NPM packages via GitHub

株式会社readytowork

クリエイター : Prajwol Kc , 株式会社readytowork ネパール支店 チームマネージャー
When using the NPM package, there are certain conditions where we need to install the NPM package that is private and only specific to our use case. This package is tagged as private which is not installed by the public user except our own entity.

We can create a package and test it as private. We can follow the following step.

The first step is to Publish the Package to Github

Create a file release-package.yml inside .github/workflows folder.

.github/workflows/release-package.yml

A sample file as

name: Node.js Package relase

on:
  release:
    types: [created]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - run: npm ci

  publish-gpr:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
          registry-url: https://npm.pkg.github.com/
      - run: npm ci
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}${{secrets.GITHUB_TOKEN}}

${{secrets.GITHUB_TOKEN}} — This should be generated from the GitHub token generator. https://github.com/settings/tokens
We can add an npm test if needed as — run: npm test
Just commit the changes to the package and push it to our private repo.
The work on the package is done. The publishing package is now private.
Now we need to add the private package to our project. Create .npmrc file
Inside npmrc file, the content will be like this

# In case of scripbox packages, scope is going to be scripbox
@<scope>:registry = https://npm.pkg.github.com

_authToken = <AUTH_TOKEN>
always-auth = true<scope> should be the repo owner label

<AUTH_TOKEN> should be generated from https://github.com/settings/tokens with proper permission.
Now just need to add the private package which will be an authorized repo, as

yarn add @xyz/xyz-abc@1.0.0

The version number will be fetched from the publishing package as a tag.
Now we are using the private package, in our project which won’t be accessed by the public.
Ref: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#installing-a-package