pnpm: Not working with github private repo
pnpm version:
v0.67.0
Code to reproduce the issue:
pnpm i with packages.json like:
"dependencies": {
"@SOME_ORG/SOME_PRIVATE_REPO": "git+https://{token}:x-oauth-basic@github.com/SOME_ORG/SOME_PRIVATE_REPO.git"
}
Expected behavior:
The private repo gets well installed.
Actual behavior:
WARN Error while trying to resolve https://{token}:x-oauth-basic@github.com/SOME_ORG/SOME_PRIVATE_REPO.git via GitHub API
ERROR fetch failed with status code 404
Additional information:
node -vprints:v7.6.0- Windows, OS X, or Linux?:
OS X
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 10
- Comments: 33 (18 by maintainers)
Commits related to this issue
- feat: installation of private git-hosted repos using auth tokens close #755 — committed to pnpm/pnpm by zkochan 4 years ago
- feat: installation of private git-hosted repos using auth tokens close #755 PR #2684 — committed to pnpm/pnpm by zkochan 4 years ago
I’ve found a solution on a comment on an NPM issue which works with PNPM 7.19.0 too. https://github.com/npm/cli/issues/2610#issuecomment-1305018755
In my case I’m using a Codespace which is permitted to access another repo, which works through using Git over HTTPS. https://docs.github.com/en/codespaces/managing-your-codespaces/managing-repository-access-for-your-codespaces
What is the disposition of this issue?
I absolutely love pnpm and use it all the time for personal projects. But I work for an organization that will not permit the use of ssh to access it’s private repositories on GitHub.
Here’s an example of pnpm failing during installation of a package in a private repo:
The package is included into the devDependencies section of package.json as follows:
To make sure that git always uses https instead of ssh, I have the following in .gitconfig
Thanks very much 3cp, I can confirm that installation works once I have created an SSH key pair on my machine and added the public key to my account on GitHub.
I suggest it is worth tracking HTTPS support for private Github packages in the PNPM feature backlog, for two reasons:
Example 1: I use a cloud-based container (or configurable build service like Netlify, Vercel, etc.) to build and deploy my app, and whilst I can generate a key pair for that container and add it to my GitHub account, the container now has equivalent access as I do, to all my GitHub repos private or public. That’s fine if only I can access the build environment, but what if I need to share access with others?
Example 2: I am working with a customer and recommend them to install a dependency from my private package for their development. They would need to (a) have a github account (b) generate a key pair © install than in GitHub (d) be granted access to my repo (e) repeat the above for any of their colleagues, build environments etc.
If I generate a package-reader auth token in my github org I can provide a simple URL for a customer or build environment that provides (revokable) access to private packages, without the need for any other steps.
I recommend PNPM whenever discussing package management, but this is one area where I will have to be careful in setting expectations. Do I recommend PNPM and go through the extra overhead of SSH key management across dev/build environments when working private repos, or advise to use NPM and stick with HTTPS auth tokens, which is the default recommended approach by GitHub and Netlify?
Anyway I have an approach for now, but I suggest keeping this in the roadmap for the future, and I’d be happy to hear of any other aspects I may not have considered here.
Slightly different.
npm will prompt you first time when you access https private repo, then it will use saved login (by some process in the windows/mac/linux, should be keychain in mac) for future access. I don’t remember does npm skip prompt in CI environment.
pnpm behaves more like yarn, it doesn’t prompt for https login at all, it only uses what OS provides. So you need to the OS to save/cache the login first before you attempt https private repo.
That’s as far as I can remember.
I am able to install from a private repo locally on windows but my CI server (docker/linux) is failing (npm works in both environments).
pnpm -v 3.8.1Here’s the package.json dependency declaration
"<pkgName>": "git+https://github.com/<orgName>/<repoName>.git#semver:7.3.0",Here’s the error I’m currently seeing
I don’t have a private repo or an easy way to create a reproducible test environment but I’m hoping the logs above help.
For now I’ll have to use npm for CI builds but I’m happy that I can use pnpm locally to save some disc-space ♥
the good news is that if I remove that block in gitconfig,
pnpm iworks. I need to see what other things stop working 😃@mvayngrib I got no problem
The way you do git clone is using https authentication, not ssh + public key. There are two ways to access github repo
git clone https://...you will be asked for login username/passwd for first time, but git can use saved login info if you setup git properly.git clone git@github.com:mvayngrib/pnpmtest.gitthis is using ssh protocol where public key can be used. This is the recommended way to access github. https://help.github.com/articles/connecting-to-github-with-ssh/The pnpm git-resolver supports both saved https login and ssh public key. I am guessing something messed up with your saved https login.
If every time you were asked to key in username/passwd when you do
git clone https://, you DO NOT have a saved login.Anyway, recommend you to follow the article to setup ssh public key for your github account. Using ssh is much smoother user experience than using https.