I am using GitHub packages to publish my private NPM packages. I need to download the published package of specific version for carrying out automation work. How can I download the package as a zip bundle using GitHub REST API or equivalent? Additionally, since it is a private package, it needs to be authenticated.
I know that equivalent functionality exists but it works for GitHub releases and assets. I could not find anything yet for GitHub packages!
After a few days of intermittent research regarding this question, here is what I have found. There seem to be two methods of retrieving and/or consuming privately published NPM packages from the GitHub Package Registry. And neither of them is an exact match to your desired method, so, here goes...
OPTION 1.
You can consume the npm package directly within your application provided you have a locally configured .nprmc file on your machine in your user directory (check first #~/.npmrc),
AND
you have created a GitHub personal access token with the following scopes.
repo: full (this is how you will be authenticated.)
workflow
write: packages
adminOrg: read
user: email
NOTE: You may not require all of these, but these are the permissions I used and had no issues. Once you generate the token, create or add it to your .npmrc file like so, replacing TOKEN with the actual token value.
//npm.pkg.github.com/:_authToken=TOKEN
Be sure you additionally add the following snippet into the project or container itself within another .npmrc file in the root directory of the codebase.
#YOUR_GITHUB_USERNAME:registry=https://npm.pkg.github.com
OPTION 2:
You can connect your package to a private GitHub repository, which will allow you to access the tar.gz artifact for each version of your package and directly download it to your local machine from the web.
github.com > Your profile > Packages > Connect repository > Select and link.
REFERENCE: How to publish packages to the GitHub Package Registry
Related
I am using a sigmajs library for creating node based graph visualisations. But the library package had a few bugs, so I modified a few files in the source code of the library and fixed them.
I have hosted my graphs on django server, and whenever I host it, the sigma package in the package.json gets loaded dynamically each time. The static library files on my machine which I had modified and fixed bugs don't get loaded. So,I get the same old package and not the modified one.
How do I access the modified library package dynamically when I host the server.
My advice is that of copying your fixed version of the library on server and install it from local path instead of remote npm repository like this:
npm install --save /path/to/fixed/lib/dir/in/server.
See this answer: npm local install
Pay attention that your fixed lib won't be sync with official one.
I don't know how you modify the library but i suggest to fork the official repository and syncronize your local one with remote one as for example explaind here sync forked repo github.
In this way you can sync to official repo while you mantain your fix and you will install your modified local one. Eventually consider to open issues and PR on sigmajs official repo to apply your fix directly to official library. If they will be accepted you can then install directly official version.
After a lot of trial and error I eventually got my NuGet package on the Github package registry with the following actions/commands:
Go to GitHub
Click your avatar (top-right) → Settings → Developer settings → Personal access tokens
Generate a token with following scopes: write:packages, read:packages, delete:packages
This will automatically check the repo scope for your OAuth token
Open cmd
Navigate to your project directory or the directory containing your NuGet package
Add a new nuget source
dotnet nuget add source --username [GithubUserName] --password [YourApiKey] --name github https://nuget.pkg.github.com/[UsernameOrOrganizationName]/index.json
Push the package to the github source
dotnet nuget push --source github bin\Release\MyAwesomePackage.1.0.0.nupkg
I can see my NuGet package on GitHub, so now I want to install it.
I created a new project → Manage NuGet packages → Settings
Add package source:
Name: whatever
Source: https://nuget.pkg.github.com/[UsernameOrOrganizationname]/index.json
Now I should be able to install my package. But when I select my source and browse for packages, a GitHub login window pops up. And even when I login with my user account credentials, I still can't access my packages (pushed to an organization Github). Now when I use the NuGet package manager for my custom package source I always get the following error in the Output Window:
[source-name] Failed to retrieve metadata from source 'https://nuget.pkg.github.com/[UsernameOrOrganizationname]/query?q=&skip=0&take=26&prerelease=true&semVerLevel=2.0.0'.
Response status code does not indicate success: 401 (Unauthorized).
The packages pushed to the GitHub registry should be public, and even with my user account I can't access them for installation. However they appear on my organization's GitHub page.
Also the other users shouldn't have to add my personal GitHub package source, but rather the package should appear in some global GitHub feed inside the package manager, not?
What am I doing wrong?
It appears that righg now it's not yet possible: https://github.community/t/download-from-github-package-registry-without-authentication/14407/39
First, make sure that your credential info is correct on the nuget.config file.
If you want to config this github package source for all the projects on your PC, you should config it on the global nuget.config file.
please add your content of the file into C:\Users\xxx(current user)\AppData\Roaming\NuGet\NuGet.Config.
restart VS Instance or restart PC to enable this new nuget.config file. It is designed by that.
I'm not able to install packages from npm, since I have placed a .npmrc file for install a private library.
This library is hosted by azure work space.
So i just placed the new config file to install. And it works fine in localhost.
How can i keep 2 registry in nprmc file, one for private and another one of npm registry?
error 404 Not Found - GET https://registry.npmjs.org/mm-core - Not found
mm-core is my private library hosted in azure, without my .npmrc file i receive this error.
With .npmrc file npm packages can't be installed.
any help?
It actually should work if you follow the official documents correctly. And we don't need to keep 2 registry in nprmc file, one for private and another one of npm registry.
Solution:
Keep the .npmrc file which presents the azure devops artifacts feed. And sign-in the azure devops web portal to configure the feed settings:
In feed settings, go Upstream sources and make sure you have npmjs as Upstream source. If it not exists, click the Add upstream source to add npmjs.
Then you only need to hold one registry for private library. If the package is not found in your private feed, since we've configured npmjs as upstream source, it will fetch the missing package there automatically!
More details about magic upstream source please refer to this document.
I'm trying to deploy a microservice to GCF, which has a dependency of a private GitHub-hosted package. To gain access to the package, I added a .npmrc file to the function as described here, the file looks like this:
registry=https://npm.pkg.github.com/OWNER
//npm.pkg.github.com/:_authToken=PERSONAL-ACCESS-TOKEN
Also tried using a NPM_TOKEN env variable in the Cloud Function
NPM_TOKEN=PERSONAL-ACCESS-TOKEN
Both result in the following error:
OperationError: code=3, message=Build failed: { error: { canonicalCode: "INVALID_ARGUMENT" }}
npm ERR! 404 Not Found: #packagescope/packagename
Installing locally works fine, so does deploying on Zeit Now.
I just ran into this problem so I'm sharing the fix that works with node v8 and v10 Cloud Functions.
The following is required to use the .npmrc to install packages from a private Github packages registry:
The .npmrc needs to be located in the functions folder at the same level as the package.json file
A registry entry for the your account/org scope is required, including the url like so, assuming Anchorman uses Github: #ronburgundy:registry=https://npm.pkg.github.com/ronburgundy
A Github personal access token is required for authentication, like so //npm.pkg.github.com/:_authToken=ronburgundypersonalaccesstoken
Assuming you follow best practice and do not commit the .npmrc with secrets you will need to ensure that the file is transformed to include the personal access token prior to deploying via firebase cli, as there's no other way to inject the value at runtime.
So the original example would work if it looked like this:
#OWNER:registry=https://npm.pkg.github.com/OWNER
//npm.pkg.github.com/:_authToken=PERSONAL-ACCESS-TOKEN
While Github's docs seem to suggest that you should redirect ALL scoped and unscoped package installs to their registry it appears that Google Cloud Functions does not allow us to redirect all package installs to a private registry, only those that we configure based on scope.
In my nodejs project I had to modify 4 of the node modules and upload them to our private corporate registry so the project will download the modified versions during builds. I did this by changing the resolved field in package-lock.json for each dependency from our virtual npm registry which forwards downloads to the public npm registry to our private registry.
This is working for 3 out of the 4 modules, however 1 module, phantomjs-prebuilt, will not download the one I uploaded. When I view its package.json after installing, its _resolved field shows the correct private registry I entered in package-lock.json, but the module doesn't have my modifications.
If I create a test project with a package.json that has phantomjs-prebuilt as its only dependency and modify the lock file to download from the private registry it will download the correct modified version I uploaded. I'm assuming there must be some transitive dependency overriding it, but I thought I would be able to see that from the lock file and override it. phantomjs-prebuilt only appears once in my lock file and that's where I'm making the change to the resolved field.
I had a similar issue myself, recently. This may not help you in particular if releasing as a different version is not an option, but maybe others who stumble across this answer like I did.
What I did was to release a forked version of a package, under a new version.
So, I forked moddle-xml 10.0.0, and released a package 10.0.1337 into our private registry in Artifactory.
That way, I could replace the transitive package dependencies of a package that we used with the forked version 10.0.1337 (using npm-force-resolutions), not breaking any constraints like ^10.0.0.
EDIT: If you want to replace a particular outside version, I think you can work with exclusion / inclusion filters.
The Artifactory-based registry would then offer a single virtual registry containing both the npm-local packages (including my fork) and npm-remote packages (the normal stuff from the default registry) setup guide.
I would configure my local setup to only download from that virtual registry.
The Artifactory setup comes with a few pitfalls (like, you have to give read permissions to all physical repositories (npm-local AND npm-remote), not just the virtual one, and this one), but it works fine for me now.
(I'm sure something like this is possible with other than the Artifactory implementation, this particular thing is just the stuff I know)