Releasing package to Github Package Registry throws 401 Unauthorized

[leovanhaaren]

Describe the bug When using the Github package Registry, a error is thrown npm notice npm ERR! code E401 npm ERR! 401 Unauthorized - PUT https://npm.pkg.github.com/@organisation/our-repo

From what I can find out, it must have something to do with the .npmrc not being 100% correct. The RELEASE_TOKEN token has the correct permissions, as it is the same for both workflows.

Workflow

name: Release

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
      - next
      - next-major
      - alpha
      - beta

jobs:
  release:
    name: release
    runs-on: self-hosted
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false # needed so that jellow-holding user gets used for git push

      - name: Setup Node.js with GitHub Package Registry
        uses: actions/setup-node@v1
        with:
          node-version: 14
          registry-url: 'https://npm.pkg.github.com'

      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@v2
        id: semantic # Need an `id` for output variables
        with:
          extra_plugins: |
            @semantic-release/git
            @semantic-release/changelog
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} # PAT is needed because GITHUB_TOKEN is not allowed to push to protected branch
          NPM_TOKEN: ${{ secrets.RELEASE_TOKEN }}

Expected behavior A release and package is published to the repository in GItHub

Additional context The workflow below works as a workaround:

jobs:
  release:
    name: release
    runs-on: self-hosted
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false # needed so that jellow-holding user gets used for git push

      - name: Setup Node.js with GitHub Package Registry
        uses: actions/setup-node@v1
        with:
          node-version: 14
          registry-url: 'https://npm.pkg.github.com'

      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@v2
        id: semantic # Need an `id` for output variables
        with:
          extra_plugins: |
            @semantic-release/git
            @semantic-release/changelog
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} # PAT is needed because GITHUB_TOKEN is not allowed to push to protected branch

        # publishing is a seperate step as `cycjimmy/semantic-release-action` does not work properly
      - name: Publish package to GitHub Package Registry
        run: npm publish
        if: steps.semantic.outputs.new_release_published == 'true'
        env:
          NODE_AUTH_TOKEN: ${{ secrets.RELEASE_TOKEN }}`

module.exports = {
  "dryRun": false,
  "branches": [
    '+([0-9])?(.{+([0-9]),x}).x',
    'main',
    'next',
    'next-major',
    {
      "name": 'beta',
      "prerelease": true
    },
    {
      "name": 'alpha',
      "prerelease": true
    }
  ],
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    [
      "@semantic-release/changelog",
      {
        "changelogFile": "docs/CHANGELOG.md"
      }
    ],
    ["@semantic-release/npm", {
      "npmPublish": false,
    }],
    "@semantic-release/github",
    [
      "@semantic-release/git",
      {
        "assets": [
          "docs/CHANGELOG.md",
          "package.json",
          "package-lock.json"
        ],
        "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
      }
    ]
  ]
};

[agierlicki]

I had the same issue and solved it by passing NODE_AUTH_TOKEN to the env of the semantic step. I debugged it locally and the npmrc that semantic generated was the exact one that setup-node built so it still had the ${NODE_AUTH_TOKEN} inside.

[vishnu-buildd]

@agierlicki I am running into the same issues. Could you please help out. I use the following config

      - name: release
        run: npx semantic-release
        env:
          GH_TOKEN: ${secrets.GITHUB_TOKEN}
          NODE_AUTH_TOKEN: ${secrets.NPM_TOKEN}

NPM_TOKEN is a gh personal token that I generated. This simply doesn't work for me. Any help is much appreaciated.

[agierlicki]

It might be that the GITHUB_TOKEN doesn't have all the permissions. I just used the same personal access token with repo, write:package rights for both env vars and it worked. So something like

- name: Release
  uses: cycjimmy/semantic-release-action@v2
  with:
  branch: main
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
    GH_TOKEN: ${{ secrets.NPM_TOKEN }}

[vishnu-buildd]

Aah. Mine was very stupid. I know this is not the place to post solutions, but just following up if anyone ends up here and finds this helpful. My code didn't use ${{secrets.GITHUB_TOKEN}} (the double curly brackets).

[tszawara]

@agierlicki I am running into the same issues. Could you please help out. I use the following config

      - name: release
        run: npx semantic-release
        env:
          GH_TOKEN: ${secrets.GITHUB_TOKEN}
          NODE_AUTH_TOKEN: ${secrets.NPM_TOKEN}

NPM_TOKEN is a gh personal token that I generated. This simply doesn't work for me. Any help is much appreaciated.

Your config plus: permissions: packages: write works for me