In this article, we’ll outline the process of proxying a private GitHub registry in Artifactory, as well as resolving an example private package through Artifactory.
To demonstrate this, we’ll start by pushing a private NPM package to our sample private GitHub registry. For detailed instructions, please refer to GitHub documentation.
After that, in Artifactory, we should set up the remote NPM repository to point to the following URL:
https://npm.pkg.github.com
Now, let’s configure the remote repository authentication. As stated in the GitHub documentation, you may use a personal access token (PAT) to authenticate to GitHub Packages or the GitHub API. As a result, you'll need to configure the remote repository with the user name and password fields that correspond to your GitHub username and PAT, respectively:
In addition, please note that HEAD requests are disallowed to the https://npm.pkg.github.com endpoint and therefore rejected, even though downloading the artifact is allowed. Hence, make sure that the Bypass HEAD Requests checkbox is enabled for the remote NPM GitHub repository under the Advanced settings tab. When the Bypass HEAD Requests checkbox is enabled (as seen in the screenshot below), Artifactory will bypass the HEAD request and cache the artifact directly using a GET request:
Following this, we will configure our NPM client to work against our NPM virtual repository that includes the above remote repository. To do this, we will add the following to the ".npmrc" file (you may use the Set Me Up UI feature to generate the ".npmrc" configuration):
@jfrog-fadir:registry=http://JFROG_URL/artifactory/api/npm/gh-private-npm/
//JFROG_URL/artifactory/api/npm/gh-private-npm/:_password=XXXXXXXX
//JFROG_URL/artifactory/api/npm/gh-private-npm/:username=admin
//JFROG_URL/artifactory/api/npm/gh-private-npm/:email=youremail@email.com
//JFROG_URL/artifactory/api/npm/gh-private-npm/:always-auth=true
Finally, we can test the configuration by installing the package we published in the initial step:
npm install @jfrog-fadir/github-npm-private
added 2 packages, and audited 3 packages in 2s
found 0 vulnerabilities
Please note that the remote repository in Artifactory, viewed through the Artifacts Browser, will appear empty because the Private GitHub registry does not support the browsing feature. However, this is expected, and you should still be able to pull packages successfully without any issues.