#private github packages all of a sudden not installing with known working github access token

I have known working github packages token getting 403, was working yesterday, tried with fresh token.

Confirmed working with curl -H "Authorization: Bearer ghp_xxxxx" \

"https://npm.pkg.github.com/@redacted" locally, but when installing I get this error:

ERR_PNPM_FETCH_403  GET https://npm.pkg.github.com/download/@redacted: Forbidden - 403

An authorization header was used: Bearer ghp_[hidden]

These authorization settings were found:

@jsr:registry=https://npm.jsr.io/

@redacted:registry=https://npm.pkg.github.com

//npm.pkg.github.com/:authToken=ghp[hidden]

Is there some work around for this?

this guy should get banned from station threads, he's trying to cherry pick github issues to farm bounties.

he responded within only 2 minutes of the thread being auto toggled to public.

Link?

https://station.railway.com/questions/private-github-packages-all-of-a-sudden-b65248d3

I do seriously need to figure out a work around for this issue though

Just to confirm it, it works locally but stopped working on Railway since yesterday?

Correct.

The direct curl from local with the same Bearer railway is using works, but the installation fails here in railway all of a sudden.

I even tried temporarily subbing in a token with higher access scope, no dice.

I have a root .npmrc that is being fed by the services env variables

Haven’t had any issues until now, no major changes to the package / org permissions upstream.

Hmm maybe I can try changing the region of the service for now? Giving it a shot.

@dry pine no luck in changing regions

Can you create a new private repository and deploy it with this Dockerfile being the only thing in the said repo?

FROM alpine:latest

RUN apk add --no-cache curl

RUN curl -fsS -o /dev/null -L \
    -H "Authorization: Bearer ..." \
    -w "HTTP Status: %{http_code}\n" \
    https://example.com

CMD ["echo", "done"]

Insert additional headers and authorization headers as needed, also replace the URL with the actual one as opposed to example.com.

sure

This should log the http status in your build logs.

interesting, it responded 200 there.

did something change with pre install env injections?

well no, it looks like it is working properly:

⁨⁨```
An authorization header was used: Bearer ghp[hidden]

These authorization settings were found:
@jsr:registry=https://npm.jsr.io/
@opengameprotocol:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:authToken=ghp[hidden]⁩

this is the shape of my .npmrc:

⁨⁩@opengameprotocol:registry=https://npm.pkg.github.com //npm.pkg.github.com/:_authToken=${GITHUB_PACKAGES_TOKEN} always-auth=true⁩

GITHUB_PACKAGES_TOKEN is in the services env variables

Hmm, I wonder if the metal build environment has anything to do with this, can you check if the affected service has it enabled/disabled (it can be found in the service's settings)?

ah sorry i edited it to make sure you didn't think it actually logged redacted and it mogged the code block lol

yeah i tried flipping that on and off

https://railway.com/project/9cdc7e24-3c32-476b-8599-8003e56a8b36/service/fef160dd-29e1-47d9-aad4-603a39b42a8d?environmentId=e1a4f971-8928-4816-87e2-0c029b38495f&id=8febea4a-90ca-475a-af03-f6aa53aa874e#build

i have a build running now

ah, okay sorry for wasting your guys time...

I think I found the issue, the metadata endpoint works but the download is blocked by billing on our end

my bad

No worries, glad you figured it out