What I Want to Do
I have published my private npm package onto Artifact Registry, and the diagram below is what I'm trying to do.
Basically I want to use the private package from both project-staging and project-production. So my package.json looks something like:
"dependencies": {
"#<scope>/private_package": "^1.0.0",
},
What I Did
Giving Permission to Cloud Build Service Account
I gave artifactregistry.reader permission to both <project-staging_id>#cloudbuild.gserviceaccount.com and <project-production_id>#cloudbuild.gserviceaccount.com under IAM menu in project-common.
.npmrc Preparation
cd path/to/project_directory
gcloud artifacts print-settings npm \
--project=project-common \
--repository=private_package \
--location=<location> \
--scope=#<scope>
vim .npmrc
# => add the output of above gcloud command
npx google-artifactregistry-auth .npmrc
deploy
gcloud config configurations activate project-staging
gcloud functions deploy <function_name> --gen2 --region=<region> --trigger-http --runtime=nodejs16 --entry-point=<entry_point>
This gives me the following error.
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed with status: FAILURE and message: npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://<URL>.tgz - Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "<resource_name>" (or it may not exist)
I don't know why I'm getting this even though
<project-staging_id>#cloudbuild.gserviceaccount.com has artifactregistry.reader permission.
Is there anything else I should do?
Normally the role roles/artifactregistry.reader is sufficient to download packages from the repo on project_common.
If project_staging and project_production have the roles/artifactregistry.reader on project_common it should work.
The roles/artifactregistry.reader role contains the following permissions :
artifactregistry.repositories.list
artifactregistry.repositories.get
artifactregistry.repositories.downloadArtifacts
artifactregistry.files.list
artifactregistry.files.get
artifactregistry.packages.list
artifactregistry.packages.listTagBindings
artifactregistry.repositories.listEffectiveTags
artifactregistry.packages.list
artifactregistry.tags.list
artifactregistry.tags.get
artifactregistry.versions.list
artifactregistry.versions.get
artifactregistry.locations.list
artifactregistry.locations.get
Please check again your configuration and the identity that performs the failed action.
This was because I had added .npmrc to .gcloudignore. Removing .npmrc from .gcloudignore made it work. Silly mistake.
I'm going to try Automate and protect your Cloud Function as a next step, but for now my problem has been solved :)
Related
I have a react based application that pulls in code from another private repository.
In my package.json this appears as
"mylib": "github:orgname/mylib"
And it all works locally.
When I deploy to Azure App Service I get the following error
npm ERR! Error while executing:
7npm ERR! C:\Program Files\Git\bin\git.EXE ls-remote -h -t ssh://git#github.com/orgname/mylib.git
8npm ERR!
9npm ERR! Host key verification failed.
10npm ERR! fatal: Could not read from remote repository.
11npm ERR!
12npm ERR! Please make sure you have the correct access rights
13npm ERR! and the repository exists.
14npm ERR!
15npm ERR! exited with error code: 128
I grabbed the public key from
https://[appname].scm.azurewebsites.net/api/sshkey?ensurePublicKey=1
and tried adding it to the account, organisation and repo on github, but I’m still getting the same error.
Is there something obvious I’m missing here?
To deploy an application to Azure app service using Private GitHub repository.
Below is the one of workaround you can follow:
I have created an demo application in VS Studio (.net) and push the project to my GitHub with private repository.
created an app service in Azure Portal . And Go to Deployment center>Select your organization as GitHub, repository(your private repository) and save it.
After sometime your application will reflect on Azure portal
For more information please refer this below links:
SO THREAD How Can I deploy Apps in app service with private GitHub repository
BLOG: Deploy Create React App to Azure App Services
MS Q&A: Cannot deploy NodeJS app from private GitHub repo.
I'm using circle ci to deploy a serverless built in nodejs. And I added as dependency of the main repo,a private github repo. E.g:
// package.json
.....
"dependencies": {
"my-private-github-repo": "git+ssh://git#github.com:company-name/my-private-github-repo.git",
.....
},
.....
The problem is that I need to give access the deploy process to read and clone the private repo when npm install runs
I have configured my ssh user-keys in circle ci,I followed the steps in this documentation: creating-a-bitbucket-user-key, and I m also adding it in my config.yml like this:
// .circleci/config.xml
....
steps:
- add_ssh_keys:
fingerprints:
- "My fingerprint"
....
But during the cicd it throws this message: 'There are no configured ssh keys to install'
There are no configured ssh keys to install
and, of course, npm install fails because can not access to the repo
Any clue? Thanks anyway
This thread mentions:
When this error appears, it typically means that the ssh keys have not been configured in all locations.
SSH keys will need to be set in both the project setting's page and within the config.yml.
Just in case, double-check the URL https://app.circleci.com/settings/project/github/<your organization name>/<project name>/ssh and see if it matches Checkout SSH Keys page mentioned in the official documentation
I'm working on a Azure DevOps build pipeline for a project. I can't make any changes to the code itself besides the azure-pipeline.yaml file. (And to be honest, I know very little about the project itself)
I'm stuck on the NPM install dependencies step. I'm currently working with the YAML pipeline, but if there's a solution in the classic mode I'll go with that.
The issue is the following:
I've created the pipeline with and I check out a private Bitbucket repository according to the documentation:
resources:
repositories:
- repository: MyBitBucketRepo1
type: bitbucket
endpoint: MyBitBucketServiceConnection
name: MyBitBucketOrgOrUser/MyBitBucketRepo
Next I set the correct version of node, and execute a npm install task
- task: Npm#1
displayName: 'NPM install'
inputs:
command: 'install'
workingDir: 'the working directory'
So far so good. But, there is a dependency to another Bitbucket repository. In the package.json there is a dependecy like this:
another-dependency: git:https://bitbucket.org/organisation/repo.git#v1.1.3
I do have access to this repository, but if I run NPM install it can't re-use the credentials from the first repository.
I've tried adding both repositories to the resources in the hope that would work. But still the same error:
error fatal: Authentication failed for 'https://bitbucket.org/organisation/repo.git/'
I've tried to set up some caching mechanism, run npm install on the 2nd repo, store the dependencies, run npm install on the first one. But that didn't work unfortunately.
Is there a way in Azure Devops pipelines -without making changes to the project set-up- to make this work?
Thanks!
Normally I have the .npmrc on the Repo so I dont have to add any other task. Something like in this guide:
https://learn.microsoft.com/en-us/azure/devops/artifacts/get-started-npm?view=azure-devops&tabs=windows
And I never do something like that, but I think that you can authenticate with the external feed adding this task:
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/package/npm-authenticate?view=azure-devops
Reading a bit more, I dont know if you can do this without adding a .npmrc on your Repo. You have to create a ServiceConnection to store your login credentials, but on that you will need the .npmrc on your Repo.
Try it and tell my if this help!!
Npm will prompt for passwords when you run npm install command for your package.json locally. Since we can't enter the password during pipeline run in CI/CD pipeline, it causes the Authentication failed error.
An alternative workaround is to add credentials directly in url, like this:
"dependencies": {
"another-dependency": "git+https://<username>:<password>#bitbucket.org/xxx/repo.git"
}
See app-password:
username: your normal Bitbucket username
password: the app password
It has disadvantage since we store the app-password directly as plain-text in package.json file, which lacks security if someone else can access your package.json file. So it depends on you whether to use this workaround.
As a workaround for Azure Devops pipeline:
You can add a File Transform task to replace the old url with new Username+Password url before your npm install steps.
1.I have a package.json in root directory with content like git:https://bitbucket.org/organisation/repo.git#v1.1.3.
2.Define a dependencies.another-dependency variable with value git+https://<username>:<password>#bitbucket.org/..., set it as secret!
3.Then add the File Transform task like this:
4.Finally you'll get a new package.json file with content below:
It won't actually affect your package.json file under version control, it just add credentials temporarily during your pipeline.
Something weird is going on when I try to publish my package on npm without login by auth token.
I've set the export NPM_TOKEN="..." variable inside my ~/.bash_profile and ~/.bash_aliases files.
Also, I've set an npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}" command from my CLI.
Despite on this, every time I wanna publish my package I receive an error:
npm ERR! 401 Unauthorized - PUT https://registry.npmjs.org/ics - You must be logged in to publish packages.
Perhaps someone knows how to publish packages via npm auth tokens? Well, if I made a login via username & password all is going well. Btw I don't need to be logged in case I want to publish some package via auth token right? It's how most of CI/CD works nowadays.
NPM Token is valid. Generated in "Read & Publish" mode and set locally just several minutes ago.
Thanks in advance.
I would like to fetch private npm from private repository using scopes.
I have set the .npmrc as such.
registry=https://registry.npmjs.org/
#myco:registry=https://nexus.myco.com/nexus/repository/
I have set the .yarnrc as such.
registry "https://registry.npmjs.org/"
"#myco:registry" "https://nexus.myco.com/nexus/repository/"
But when I do:
yarn --verbose add #myco/some-private-npm
It throws this error:
verbose 0.708 Performing "GET" request to "https://nexus.myco.com/nexus/repository/#myco%2fsome-private-npm".
verbose 0.792 Request "https://nexus.myco.com/nexus/repository/#myco%2fsome-private-npm" finished with status code 404.
When I do:
yarn --verbose add #myco:some-private-npm
It goes to this 400 url (Nexus: Invalid repository path):
verbose 0.957 Request "https://nexus.myco.com/nexus/repository/#myco:some-private-npm" finished with status code 400.
The actual npm is located at:
https://nexus.myco.com/nexus/repository/myco/some-private-npm
How do I make sure the url fetched does not have "#" and "%2f" is a "/"?
Thanks!
Per this github issue for yarn, try adding similar config to your .yarnrc:
registry "https://registry.npmjs.org/"
"#myco:registry" "https://nexus.myco.com/nexus/repository/"
Failing that, I recommend perusing the linked issue and trying the solutions provided.
I run into exact the same issue some time ago.
check at NPM if your repository team access level is read/write.
On my side the team i was in had only read access level. Switching solved the issue.
Another possible scenario is that the slash encoding isn't really the problem. You simply do not have access to that specific repository.
That would explain the 404, since if you don't have access, for security reasons, it's as if it doesn't exist, you don't get a 401.
I found this page when also trying to run npm publish of a .tgz file in Github Actions, and getting the following (replaced scope and package):
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/#SCOPE%2fPACKAGE - Not found
npm ERR! 404
npm ERR! 404 '#SCOPE/PACKAGE#0.0.5' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
This package IS published so I thought the %2f was causing the issue. I was using NPM_TOKEN as an environment variable as well, as per npmjs documentation.
Solution:
- name: Setup Node.js environment
uses: actions/setup-node#v2.1.2
with:
node-version: '12'
registry-url: 'https://registry.npmjs.org'
- name: Publish to npmjs
run: |
npm install
npm run pack
npm publish <package tgz> --access public
env:
NPM_TOKEN: ${{ secrets.NPM_APIKEY }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_APIKEY }}
via Github Documentation.
NOTE: I'm not sure NPM_TOKEN is still required here.
Make sure .yarnrc actually contains
registry "https://registry.npmjs.org/"
and not
registry "registry.npmjs.org"
That'll give the same error.