Skip to content
Latchkey

How to Publish an Internal Package Consumed by Other Repos

Publishing shared code as an internal package to GitHub Packages lets other repos depend on a pinned version instead of duplicating source.

On release, publish the package to GitHub Packages scoped to your org. Consuming repos add a scoped registry line to .npmrc and install it with a token that can read packages.

Steps

  • Set the package name to your org scope and publishConfig.registry to GitHub Packages.
  • Publish on tag push with the built-in token and packages: write.
  • In consumers, point the scope at the registry and authenticate.

Publish workflow

.github/workflows/publish.yml
on:
  push:
    tags: ['v*']
permissions:
  contents: read
  packages: write
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: https://npm.pkg.github.com
      - run: npm ci && npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Consumer .npmrc

.npmrc
@my-org:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

Gotchas

  • Consumers need a token with read:packages to install a private org package.
  • Bump the package version on every publish; GitHub Packages rejects re-publishing the same version.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →