error creating package in github npm registry

[yoanne2x]

I seem to no longer being able to create npm package in the GitHub npm registry of a private repo:

npm notice Publishing to https://npm.pkg.github.com/
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://npm.pkg.github.com/@my-company%2ftest-publish-pkg - Permission permission_denied: create_package
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

oddly, the previously created packages can be updated, I just cannot seem to be able to create new ones.

[eodabashian]

We seem to be running into this issue as well: when authenticated with a PAT with write:packages permission I can't create a new package in our private repo (fails with the exact error posted by OP above).

EDIT: I seem to have posted this as an "answer" not a reply, that was not intended! 😄

[yoanne2x]

Yep, my workaround was to publish first through gh workflow using GitHub token and elevated permissions. Once published I no longer had issues with the upload download.

Weird and obscure as I do not know why it caused this, and the 403 error isn't really helpful.

[eodabashian]

Hmm I just tried publishing the package from a GH workflow with GITHUB_TOKEN and that succeeded, but then when I try to publish a new version of the package manually with a normal PAT, I get the same permission_denied error.

[yoanne2x]

But can you download the dependency? Maybe it can only be published from workflow when in an org...

[yoanne2x]

Can you download it though? Perhaps publishing only form GH workflow… Not ideal

…

On 18 Oct 2022, at 22:28, Evan Odabashian ***@***.***> wrote:  Hmm I just tried publishing the package from a GH workflow with GITHUB_TOKEN and that succeeded, but then when I try to publish a new version of the package manually with a normal PAT, I get the same permission_denied error. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

[langri-sha]

The error before was pretty uninformative HTTP 404, at least things are better now to explain it's a permission error.

Still not sure what kind of scope for a classic PAT one needs to have to be able to publish and how to work around this. I guess someone can use another registry, e.g. https://cloud.google.com/artifact-registry, until this is fixed 🤷.

[AfzalSabbir]

Here it has been explained:
https://stackoverflow.com/questions/74552108/can-a-github-collaborator-create-package-in-github-package-registry#:~:text=I%20was%20facing,for%20my%20case)

[AfzalSabbir]

Same here: https://stackoverflow.com/questions/74552108/can-a-github-collaborator-create-package-in-github-package-registry