Search code examples
npmgithub-pages

How to publish NPM packages to GitHub packages with internal visibility?

GitHub Enterprise seems to have a setting to make published packages visible to the Enterprise ("internal" instead of "private"). I have enabled the option under the organizations packages settings.

However, my packages are still published as "private". How can I publish a package with visibility "internal"?

Looking at the documentation, there should be a granular access package configuration. I don't see such an option.

I suspect it has something to do with this: "Once a repository is synced, you can't access the package's granular access settings. To customize the package's permissions through the granular package access settings, you must remove the synced repository first."

What does it mean to "sync" a repository and how to I remove such a sync (as the documentation suggests)?

Update: I can access the package with a PAT of a user that has read access to the repo. However, I would like to be able to use the default GitHub token inside a GitHub action in another repo (same enterprise). This however fails.

Solution

  • This works, at least for npm/js packages, but I believe that Github mislabels packages as "private" when they actually mean "internal". That is, they don't use the same nomenclature with packages as they do with repositories. (I agree that this is confusing)

    I publish internal NPM packages with:

    npm publish --access public  # yes, it MUST be 'public'

    (after npm login, using my Github org credentials)

    Then I see them labelled as 'private' in the organization package listing. However, I (and others) in the organization can indeed install/consume them from other (internal) repositories, as long as we point NPM to the internal registry and authorize with an appropriate PAT:

    npm install @example-org/example-npm-module --registry=https://npm.pkg.github.com --_authToken=<PAT>

    Note that you MUST use a PAT to read/install published packages. For some reason, Github doesn't allow us to use the default GITHUB_TOKEN:

    To authenticate to a GitHub Packages registry within a GitHub Actions workflow, you can use:

    • GITHUB_TOKEN to publish packages associated with the workflow repository.
    • a PAT to install packages associated with other private repositories (which GITHUB_TOKEN can't access).

    See: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#authenticating-to-github-packages