Retrieve a Github Registry npm package from a Github Action

Question

I have successfully deployed @myorganization/my-super-lib as a GH npm package. Now I would like to use it in an other GH project.

This is a private lib, and a private project (important to remember, as the point is moot with public ones).

Locally, no problem, just add the correct authtoken config with my personal token in my npm config.

Now, when using Github Actions, I am not sure what the elegant solution would be for a token to access the library package. The documentation says to use a personal one, but what if I leave the org? I could also use a dedicated technical account just for that, but that doesn't seem like the "right" solution.

Has anyone got a better idea?

Edit after comments: At first I thought that I could simply use the GITHUB_TOKEN, but it is restricted to access only the current repository, and this is logical from a security perspective after thinking about it.

Answer 1

There is currently no better option than using a personal access token, i.e.:

• Create a personal read:packages access token from an account that has read access
• Insert that token as "Secret" to the repository (where you execute the Github Actions)
• Access the token via in the Secrets in the Github Actions Workflow to authenticate and install the dependency stored in the Github Registry