so if I understand verdaccio docs correctly, I should be able to publish a package if I set "publish" to "$all" in the config file.
But even though my config file looks like this:
storage: ./storage
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'#*/*':
access: $all
publish: $all
proxy: npmjs
'**':
proxy: npmjs
logs:
- {type: stdout, format: pretty, level: http}
if I try to publish a scoped package the command npm publish fails with ENEEDAUTH
am I missing something?
Can somebody tell me how to publish a package to my private verdaccio repo WITHOUT have to be authenticated?
npm version: 7.4.3
node version: 15.7.0
verdaccio version: 4.11.0
Originally posted here
https://twitter.com/verdaccio_npm/status/1357798427283910660?s=21
But in a nutshell, npm#7 requires a token to publish, thus, is just a matter of fake a token to bypass npm. Verdaccio won't be able to verify the token and will fallback to an anonymous user, since your package access is set to $all this role is also included for anonymous users.
Related
Hi I have codepipeline to deploy my angular app, and in that app I am using my private github package. Everything is working locally etc. But on codeBuild I have no idea how to register into github package repository.
my buildspec looks like:
version: 0.2
env:
variables:
S3_BUCKET: "{{s3_bucket_url}}"
BUILD_ENV: "{{BUILD_ENV}}"
BUILD_FOLDER: "dist"
phases:
install:
runtime-versions:
nodejs: 14
pre_build:
commands:
- echo Installing source NPM dependencies...
- npm install
- npm install -g #angular/cli
build:
commands:
- echo Build started on `date` with $BUILD_ENV flag.
- ng build $BUILD_ENV
post_build:
commands:
- echo Build completed on `date`
artifacts:
files:
- '**/*'
base-directory: 'dist*'
if fails on npm install because 404 Not Found - GET https://registry.npmjs.org. For example in github actions I just simply define registry-url: 'https://npm.pkg.github.com' and thats correct.
Thanks for help :)
It fails because, in the execution context of the CodeBuild process, access to the repo containing the GitHub package is restricted, so it can't find the package because it doesn't have access to the repo's packages. You will need to authenticate to the GitHub Package API.
One way to authenticate is to create a Personal Access Token, include it in your CodeBuild Environment by linking a secret in the SecretsManager, then accessing that token in your buildspec script in the env section:
Create a personal access token: In GitHub, create a Personal access token with the read:packages permission. Here's a link to a tutorial on how to do that.
Register token as a secret in Secrets Manager: In SecretsManager, create a secret with one entry. Name the key of the entry GH_PERSONAL_ACCESS_TOKEN, and in the value field, provide the token that you created in step 1. Pick a descriptive name for your secret (something like codebuild/gh_token). Take note of the secret's name.
Authenticate to GitHub Packages using the Personal Access Token: In your buildspec script, you will need to retrieve the secret containing your Personal Access Token, then use that to authenticate before you run the npm install command:
env:
secrets-manager:
GH_PERSONAL_ACCESS_TOKEN: {SECRET_ARN}:PERSONAL_ACCESS_TOKEN # <- replace {SECRET_ARN} with arn of secret
phases:
#...
pre_build:
commands:
- echo Installing source NPM dependencies...
# this is needed to set the url where the package is located
- npm config set #OWNER:registry https://npm.pkg.github.com # <- replace OWNER with the organization/owner name
# this is needed to set the personal access token that we created
- npm config set //npm.pkg.github.com/:_authToken $GH_PERSONAL_ACCESS_TOKEN
- npm install
- npm install -g #angular/cli
I have a working verdaccio server hosted on a google cloud server. I am able manually publish to it, but am struggling to create a GitHub Action to publish to it when I push to master branch.
I have a script that works perfectly when publishing to npmjs public repo. Here is the relevant part that works for npmjs.org
- name: Publish to npm
if: steps.semantic.outputs.new_release_published == 'true'
run: |
yarn install
git checkout upm
npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Now, for my own server, I have included the following addition in package.json:
"publishConfig": {
"registry": "http://my.ip.0.0:port"
},
And then in the repositories secrets, I have created an NPM_TOKEN secret with my user's token copied from my computer's .npmrc file after logging in.
I'm getting the following error from the Github Actions result:
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
So I'm clearly not authenticating properly.
I tried (on the server's cli) using npm token create but it gave me an unauthorized error, and I tried the same on my computer locally after logging in too, and got the same error.
How can I authenticate my Github Actions publish to my custom Verdaccio server? I'm pretty new to this whole CI business, so I suspect I'm missing something quite basic. I suspect I'm doing it wrong using NPM_TOKEN, but it worked fine to publish to npmjs.org public repo.
Again, I can manually publish using npm publish from the terminal on my Mac (after logging into custom server with npm login), so I know that the server is set up properly.
After much googling, I found a solution from this tutorial https://remysharp.com/2015/10/26/using-travis-with-private-npm-deps
It's not written for GitHub Actions but the same procedure worked.
First, you need to login to your private server from your computer. In your home folder look at the .npmrc file (turn on show hidden files).
add this line to the yaml action file:
echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
Note that it should actually be NODE_AUTH_TOKEN, NOT your actual token.
The part in the quotes should mostly match the entry in your .npmrc file (without the token).
So now it looks like this
- name: Publish to npm
if: steps.semantic.outputs.new_release_published == 'true'
run: |
yarn install
git checkout upm
echo "//YOURREGISTRYADDRESS/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Then in the Settings -> Secrets part of your GitHub repo, add a secret called NPM_TOKEN and paste in the auth token value from the .npmrc. It's a long series of letters and numbers.
Now this script should properly log in. Apparently the issue is that the default Verdaccio authorization plugin expects it to be used interactively. This line basically creates an .npmrc file on the fly and populates it with the correct info, as if you've already logged in interactively. The file isn't actually created though, and disappears after running, which is a nice touch. It also is pretty secure since it stores the token in the secrets part of the repo. The link above does a better job explaining it, so check it out!
What do I need to do to configure yarn to authenticate with Github Packages?
I've got a hello-world npm package that I'm trying to publish privately to github. I want to be able to use yarn instead of npm, but for some reason yarn can't authenticate with the Github Package service:
error Couldn't publish package: "https://npm.pkg.github.com/#myuser/test-models: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured."
NPM doesn't have any trouble publishing though, so I'm assuming it's some difference in the way yarn processes the config info.
Verbose yarn publish:
$ yarn publish --verbose
yarn publish v1.10.1
verbose 0.257170891 Checking for configuration file "/Users/myuser/sites/test-models/.npmrc".
verbose 0.257665932 Found configuration file "/Users/myuser/sites/test-models/.npmrc".
verbose 0.258189892 Checking for configuration file "/Users/myuser/.npmrc".
verbose 0.258433341 Found configuration file "/Users/myuser/.npmrc".
verbose 0.258899667 Checking for configuration file "/usr/local/etc/npmrc".
verbose 0.259174747 Checking for configuration file "/Users/myuser/sites/test-models/.npmrc".
verbose 0.259487532 Found configuration file "/Users/myuser/sites/test-models/.npmrc".
verbose 0.260003161 Checking for configuration file "/Users/myuser/sites/.npmrc".
verbose 0.260246617 Checking for configuration file "/Users/myuser/.npmrc".
verbose 0.260455656 Found configuration file "/Users/myuser/.npmrc".
verbose 0.260965719 Checking for configuration file "/Users/.npmrc".
verbose 0.263449669 Checking for configuration file "/Users/myuser/sites/test-models/.yarnrc".
verbose 0.263757077 Checking for configuration file "/Users/myuser/.yarnrc".
verbose 0.264027657 Found configuration file "/Users/myuser/.yarnrc".
verbose 0.264629421 Checking for configuration file "/usr/local/etc/yarnrc".
verbose 0.264905752 Checking for configuration file "/Users/myuser/sites/test-models/.yarnrc".
verbose 0.265187834 Checking for configuration file "/Users/myuser/sites/.yarnrc".
verbose 0.265428211 Checking for configuration file "/Users/myuser/.yarnrc".
verbose 0.265682381 Found configuration file "/Users/myuser/.yarnrc".
verbose 0.26612276 Checking for configuration file "/Users/.yarnrc".
verbose 0.268430721 current time: 2020-07-15T16:04:57.727Z
[1/4] Bumping version...
info Current version: 0.0.3
question New version:
info Proceeding with current version: 0.0.3
[2/4] Logging in...
[3/4] Publishing...
verbose 3.449685972 Performing "PUT" request to "https://npm.pkg.github.com/#myuser/test-models".
verbose 3.757506429 Request "https://npm.pkg.github.com/#myuser/test-models" finished with status code 401.
verbose 3.760342835 Error: Couldn't publish package: "https://npm.pkg.github.com/#myuser/test-models: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured."
at MessageError.ExtendableBuiltin (/usr/local/Cellar/yarn/1.10.1/libexec/lib/cli.js:243:66)
at new MessageError (/usr/local/Cellar/yarn/1.10.1/libexec/lib/cli.js:272:123)
at /usr/local/Cellar/yarn/1.10.1/libexec/lib/cli.js:80723:13
at Generator.throw (<anonymous>)
at step (/usr/local/Cellar/yarn/1.10.1/libexec/lib/cli.js:98:30)
at /usr/local/Cellar/yarn/1.10.1/libexec/lib/cli.js:111:13
at processTicksAndRejections (internal/process/task_queues.js:97:5)
error Couldn't publish package: "https://npm.pkg.github.com/#myuser/test-models: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured."
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.
Yarn config:
$ yarn config list
yarn config v1.10.1
info yarn config
{
'version-tag-prefix': 'v',
'version-git-tag': true,
'version-commit-hooks': true,
'version-git-sign': false,
'version-git-message': 'v%s',
'init-version': '1.0.0',
'init-license': 'MIT',
'save-prefix': '^',
'bin-links': true,
'ignore-scripts': false,
'ignore-optional': false,
registry: 'https://registry.yarnpkg.com',
'strict-ssl': true,
'user-agent': 'yarn/1.10.1 npm/? node/v13.11.0 darwin x64',
lastUpdateCheck: 1594760187916
}
info npm config
{
'//registry.npmjs.org/:_authToken': '<auth_token1_here>',
'#myuser:registry': 'https://npm.pkg.github.com',
'//npm.pkg.github.com/:_authToken': '<auth_token2_here>',
python: '/usr/bin/python'
}
✨ Done in 0.11s.
All my config files:
$ cat /Users/myuser/.npmrc
//registry.npmjs.org/:_authToken=[my-npm-token]
$ cat /Users/myuser/sites/test-models/.npmrc
#myuser:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=[my-github-token]
$ cat /Users/myuser/.npmrc
//registry.npmjs.org/:_authToken=[my-npm-token]
$ cat /Users/myuser/.yarnrc
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
lastUpdateCheck 1594760187916
For npm.pkg.github.com/:_authToken, you could try and use the third type of token which is just released yesterday (Oct. 2nd, 2020):
npm automation tokens
npm is introducing a new setting for access tokens to support publishing to the npm registry from CI/CD workflows.
Previously, you could create an access token with one of two settings: read-only, and publish.
A publish token allows you to publish packages, like the name implies, but if you have two-factor authentication (2FA) enabled on your account, you'll be prompted for your one-time passcode.
We recommend that people set up 2FA on their account for added security, but requiring a passcode means that all publishing must be done interactively. Many people want to automate their publish step with a CI/CD workflow.
Today, we've added a third option for access tokens: automation. You can create an automation token in your access token settings page.
Using an automation token will not prompt for a one-time passcode, meaning that you can use it as a secret in your publish workflow. Now you can publish a package directly to the npm registry when you cut a release.
If you're a package maintainer, and you want to require that publishers to your package continue to use two-factor authentication and publish interactively, you can do that in the package settings.
If you already required 2FA, there's no change to this behavior; automation tokens won't be accepted unless you allow them to be.
If you've been waiting to enable two-factor authentication on your npm account because it prevented you from publishing in an automated workflow, you can now set up an automation token and enable 2FA.
I am trying to use a npm package from a private repository hosted in a different Azure DevOps organisation. I am getting the following error on npm install step:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/2dfb2f0b-4d21-4268-9559-72926144c918, Basic realm="https://pkgsprodcus1.pkgs.visualstudio.com/", TFS-Federated
My project .npmrc file looks like this:
#{scope}:registry=https://pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/
always-auth=true
strict-ssl=false
I have followed the documentation on setting up the PAT token with Packaging Read & Write permission
I have tried connecting by setting up a service connection which did not work.
I have also tried to by adding the credentials to the project .npmrc file and that does not work either.
.npmrc file with creds:
#{scope}:registry=https://pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/
always-auth=true
strict-ssl=false
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:username=ANYTHING-BUT-EMPTY
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:_password=BASE64-ENCODED-PAT
//pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:email={EMAIL}
/pkgs.dev.azure.com/{ORG}/{PROJECT}/_packaging/{FEED}/npm/registry/:always-auth=true
I have regenerated the PAT numerous times with different scopes but none worked. (I am generating the PAT from User Settings -> Security in Azure DevOps)
I am able to connect to the feed from my local machine using the vsts-npm-auth package.
Azure DevOps pipeline - authentication failure when trying to connect to private npm registry
According to the document Set up your client's npmrc, we need set the .npmrc containing the credentials in $home for Linux or Mac systems or $env.HOME for win systems in development machine instead of setting it in your the project .npmrc file.
On your development machine, you will also have a .npmrc in $home for
Linux or Mac systems or $env.HOME for win systems. This .npmrc should
contain credentials for all of the registries that you need to connect
to. The NPM client will look at your project's .npmrc, discover the
registry, and fetch matching credentials from $home/.npmrc or
$env.HOME/.npmrc. Credential acquisition will be discussed in the next
section.
And:
You should have a project specific .npmrc containing only your feed's
registry information that you discovered from the "Connect to Feed"
dialog. There should be no credentials in this file and the file
itself is usually adjacent to your project's package.json.
Besides, if you want use the hosted agent, you could use the npm Authenticate task to certification.
Hope this helps.
In my case, I needed to add an explicit npmAuthenticate step to log-in to the private NPM registry using the pipeline's credentials before the step in which npm install / yarn install was called, like so:
- task: npmAuthenticate#0
inputs:
workingFile: "$(Build.SourcesDirectory)/path/to/my/.npmrc"
Hello I would like to know if a special npm configuration could
enable npm publish
disable npm unpublish --force [IDEAL]
disable all npm unpublish commands
I am using Verdaccio as a private package repository, and I know that they are working on a special configuration that can achieve this. But does that feature/configuration exist already on client computer using npm ?
This feature is available in Verdaccio since v4.0.0-alpha.5
https://github.com/verdaccio/verdaccio/blob/4.x/CHANGELOG.md#features
For instance
'vue':
access: $all
publish: $authenticated
unpublish: admin
proxy: npmjs
We are introducing a new property called unpublish to be able to handle such a situation. For backward compatibility, if unpublish is not defined will be relying on publish as it works in previous versions.
For more info check our docs
https://verdaccio.org/docs/en/packages#unpublishing-packages