Background
Hi, I have a organization with many projects in Azure Devops. One of the project created a organization-scoped feed and built some pipelines do NPM publish to the feed. We can see the packages appear in the feed now. We then follow the instruction in "Connect to feed" to restore package.
.npmrc file
registry=https://pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/
always-auth=true
; begin auth token
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:username=[ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/registry/:email=npm requires email to be set but doesn't use the value
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:username=[ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<yourOrganization>/_packaging/<yourFeed>/npm/:email=npm requires email to be set but doesn't use the value
; end auth token
Problem
I as a project administrator can successfully restore package(npm install). However, some users cannot restore and show up "401 unauthorized" after entering command. I have checked the view setting and the .npmrc file as well as PAT with a narrow scope of Packaging (read and write).
I have also checked Manage packages with feed permissions. It said List, install, and restore packages only require "Reader" permission. I added the user into the Reader Group in Project level and Reader Group in Feed Setting.
What Could be Missing?
Update To share my pipeline detail:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: "10.x"
displayName: "Install Node.js"
- task: Npm@1
inputs:
command: "install"
workingDir: <Dir>
- task: Npm@1
inputs:
command: "publish"
workingDir: <Dir>
publishRegistry: "useFeed"
publishFeed: <Feed>
vsts-npm-auth -F -C .npmrc
to refresh the token and then kindly share the result here. – Vito LiuAllow project-scoped builds
then try it again. Since you are using the package in the pipeline, it will install the package via service account instead of user account. Also you could check this then kindly share the result here. – Vito Liu