cargo "no token found ... please run cargo login" (private registry) in CI
cargo needs a token to read from a private registry or to publish, and none is configured on the runner. Either the registry credential was never injected, or it lacks the scope for the operation.
What this error means
cargo build, publish, or fetch fails with "error: no token found for X, please run cargo login", or with a 401/403 from the private registry.
error: failed to publish to registry at https://registry.internal.example.com
Caused by:
no token found for `internal`, please run `cargo login --registry internal`
or use environment variable CARGO_REGISTRIES_INTERNAL_TOKENCommon causes
No registry token injected into the job
The private registry credential was never exposed to the step, so cargo has nothing to authenticate with.
A token without the needed scope
A token configured for read may lack publish rights (or vice versa), producing a 401/403 on the operation.
How to fix it
Inject the token via the registry env var
cargo reads CARGO_REGISTRIES_<NAME>_TOKEN from the environment, so set it from a secret.
env:
CARGO_REGISTRIES_INTERNAL_TOKEN: ${{ secrets.CARGO_INTERNAL_TOKEN }}Verify scope for a 401/403
A persistent 401/403 is not fixed by retrying; confirm the token belongs to a principal allowed to read or publish to that registry.
cargo publish --registry internal --dry-runHow to prevent it
- Keep registry tokens in CI secrets, never committed.
- Use
CARGO_REGISTRIES_<NAME>_TOKENrather thancargo loginfiles in CI. - Grant least-privilege scope (read vs publish) per token.