Skip to content
goodguydaniel.com

How to Fix GitHub Actions: Support for password authentication was removed

Linking private repos as npm dependencies the proper way

Ops1 min read

Today the GitHub PAT (personal access token) expired in one of my projects, I literally waked up to this:

1npm ERR! code 128
2npm ERR! An unknown git error occurred
3npm ERR! command git --no-replace-objects ls-remote https://***@github.com/org/my-dep.git
4npm ERR! remote: Support for password authentication was removed on August 13, 2021.
5npm ERR! remote: Please see https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.
6npm ERR! fatal: Authentication failed for 'https://github.com/org/my-dep.git/'
7
8npm ERR! A complete log of this run can be found in:
9npm ERR! /home/runner/.npm/_logs/2022-08-01T16_02_11_768Z-debug-0.log
10Error: Process completed with exit code 128.


(╯°□°)╯︵ ┻━┻

It happens that GitHub droped the support to pass along the password to auth on private repos, which is part of my workflow, because I link npm dependencies with git+https schema, in my package.json.

1// package.json
2"dependencies": {
3 // ...
4 "my-dep": "git+https://<PAT_TOKEN_GOES_HERE>@github.com/org/my-dep.git#3b3b3371d24b31d18bfef6296635df37f7131925",
5 // ...

💡 #3b3b3371d24b31d18bfef6296635df37f7131925 targets a specific commit.

Well for some reason this was not working anymore, that's somewhat good, because I had my PAT hardcoded right there 🤠

Let's fix it!

The proper way to this, which also addresses the issue I've posted initially, is the following.

  1. First create a new PAT - ideally with minimum amount of scopes.
  2. Now you have your PAT you'll have to make it accessible to whatever repo where you will use the token in its GitHub action. Add this to the repo secrets.
  3. Great, now my tricky work around. Because I can only install this via GitHub (limited infra available to manage packages), I add my target dependency under optionalDependencies rather than dependencies in the package.json. This means we will use npm install --no-optional in our CI in order to skip the dependency that needs auth to download the package from a private repo.
1"optionalDependencies": {
2 "my-dep": "git+https://github.com/org/my-dep.git#3b3b3371d24b31d18bfef6296635df37f7131925"
3},
  1. Now in your GitHub action add the additional steps.
1- run: npm install --no-optional
2 - run: npm install git+https://$TOKEN@github.com/org/my-dep.git#3b3b3371d24b31d18bfef6296635df37f7131925
3 env:
4 TOKEN: ${{ secrets.MY_PAT_SECRET }}

💡 MY_PAT_SECRET needs to match the secret name you added in GitHub.

Hope this workaround helps you as it helped me!

If you liked this article, consider sharing (tweeting) it to your followers.