Verdaccio: how to publish to custom server from Github Actions with proper credentials?

Question

I have a working verdaccio server hosted on a google cloud server. I am able manually publish to it, but am struggling to create a GitHub Action to publish to it when I push to master branch.

I have a script that works perfectly when publishing to npmjs public repo. Here is the relevant part that works for npmjs.org

- name: Publish to npm
    if: steps.semantic.outputs.new_release_published == 'true'
    run: |
      yarn install
      git checkout upm
      npm publish
    env:
      NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} 

Now, for my own server, I have included the following addition in package.json:

"publishConfig": {
    "registry": "http://my.ip.0.0:port"
 },

And then in the repositories secrets, I have created an NPM_TOKEN secret with my user's token copied from my computer's .npmrc file after logging in.

I'm getting the following error from the Github Actions result:

npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR!     npm login

So I'm clearly not authenticating properly.

I tried (on the server's cli) using npm token create but it gave me an unauthorized error, and I tried the same on my computer locally after logging in too, and got the same error.

How can I authenticate my Github Actions publish to my custom Verdaccio server? I'm pretty new to this whole CI business, so I suspect I'm missing something quite basic. I suspect I'm doing it wrong using NPM_TOKEN, but it worked fine to publish to npmjs.org public repo.

Again, I can manually publish using npm publish from the terminal on my Mac (after logging into custom server with npm login), so I know that the server is set up properly.

Answer 1

After much googling, I found a solution from this tutorial https://remysharp.com/2015/10/26/using-travis-with-private-npm-deps

It's not written for GitHub Actions but the same procedure worked.

First, you need to login to your private server from your computer. In your home folder look at the .npmrc file (turn on show hidden files).

add this line to the yaml action file:

echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc

Note that it should actually be NODE_AUTH_TOKEN, NOT your actual token.

The part in the quotes should mostly match the entry in your .npmrc file (without the token).

So now it looks like this

- name: Publish to npm
    if: steps.semantic.outputs.new_release_published == 'true'
    run: |
      yarn install
      git checkout upm
      echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
      npm publish
    env:
      NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} 

Then in the Settings -> Secrets part of your GitHub repo, add a secret called NPM_TOKEN and paste in the auth token value from the .npmrc. It's a long series of letters and numbers.

Now this script should properly log in. Apparently the issue is that the default Verdaccio authorization plugin expects it to be used interactively. This line basically creates an .npmrc file on the fly and populates it with the correct info, as if you've already logged in interactively. The file isn't actually created though, and disappears after running, which is a nice touch. It also is pretty secure since it stores the token in the secrets part of the repo. The link above does a better job explaining it, so check it out!