Question

Install package from private GitHub repository with yarn - App Platform static site build fails - permission denied

Posted March 12, 2021 832 views
GitDeploymentDigitalOcean App PlatformNext.js

Hi, my site has a dependency which is a private GitHub repository like this:

In package.json:
...
"dependencies": {
  "library": "myusername/library",
  ...
},
...

I’ve authorized Digital Ocean to access all my repositories but during the build, the library package cannot be retrieved, erroring with:

git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights

What I’ve tried:


What is the correct way of adding this library package dependency such that it can be fetched during build?

I’d really appreciate any help.

Thank!

1 comment
  • The only way I found that works for private GitHub repositories is using the GitHub personal access token like this:

    In package.json:
    ...
    "dependencies": {
      "library": "https://TOKEN@github.com/myusername/library.git",
      ...
    },
    ...
    
    

    I’d really like to avoid having to keep the token directly within the package.json though.

    Thanks in advance!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

👋🏼 @dwf

I also did some googling and couldn’t find anything. Although I did find this workaround—check it out: https://stackoverflow.com/a/56639755. It will let you store your GitHub access token in an environment variable.

Another option might be to mirror the packages to a private npm registry, and use yarnrc to read the credentials from an env var: https://yarnpkg.com/configuration/yarnrc

  • Thanks for the tip @kamaln7 - it’s a handy workaround.

    It would still be great if the docs could be clearer and I’d love to not have to specify the token explicitly. After all, the build already has a token since it pulls code from the repo.