Installing private Github Package using yarn on Github Actions is Unauthorized with yarn.lock

Question

There are a lot of similar issues already floating around:

• Install private github package from package.json on Github Actions
• Download private module from Github Package Registry via Yarn within a Github Action? Publishing works, but installing is met with '401 Unauthorized'
• Installing private package from Github Package registry using Yarn fails with not authorized

However, our issue seems different, because:

• yarn install runs fine on a local machine
• the issue is only when using Github Actions
• yarn install succeeds on GH Actions if we delete yarn.lock

Has anyone run into this before? Specifically with it not working with a yarn.lock file?

In case it matters, here's the setup:

build.yml:

    steps:
    - uses: actions/checkout@v2
    - uses: actions/setup-node@v1
      with:
        node-version: '10.x'
        registry-url: 'https://npm.pkg.github.com'
    - name: Install
      run: yarn install
      env:
        # GITHUB_TOKEN can't access packages hosted in private repos,
        # even within the same organisation
        NODE_AUTH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
    - name: Build
      run: yarn build
    - name: Test
      run: yarn test --forbid-only

We also have a .npmrc file for local installs:

@<org>:registry=https://npm.pkg.github.com

But no .yarnrc file.

Answer 1

We managed to solve this by explicitly duplicating the .npmrc config in the build.yml config:

      - uses: actions/setup-node@v1
        with:
          node-version: '10.x'
          registry-url: 'https://npm.pkg.github.com'
          # These following two lines are the key:
          always-auth: true
          scope: '@reedsy'