Classic token sunset | How to pull private npm packages from ghcr.io

[thomaslagies]

Select Topic Area

Question

Body

With the upcoming sunset of classic tokens I am curious how to make fine grained tokens work.
I tried almost every permission but fail to pull npm packages from ghcr.io in my own organization.
The gh cli is working fine with them.
npm install is not. I switched the token in the .npmrc from the classic token to the new fine grained token

https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/#looking-ahead-trusted-publishers

This also does not work for docker images, so I guess it is a packages "issue" with these kind of tokens.

[wanbs14]

Fine-grained personal access tokens (PATs) can be used for npm and Docker (ghcr.io), but there are a few key details that often trip people up:

1. Permissions

For npm packages:

The token needs read packages permission for the repository that contains the package.

If the repository is private, you also need repository access for that repository.

Double-check that the token has the correct scopes for Actions if your install runs in a workflow.

For Docker images:

The token needs read:packages to pull and write:packages to push.

Repository access is required for private images.

2. Correct Authentication

For npm, your .npmrc should look like:

@your-org:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=YOUR_FINE_GRAINED_TOKEN

For Docker:

echo $TOKEN | docker login ghcr.io -u USERNAME --password-stdin

Even if the token works in the gh CLI, npm and Docker enforce the fine-grained permissions separately, so a mismatch can prevent installs or pulls.

3. Common Pitfalls

Using a token without proper repository access. Fine-grained tokens are repository-specific.

Old credentials cached in ~/.npmrc or Docker config. Clear them before testing.

Not matching the registry URL exactly (e.g., scoped packages require @org:registry=…).

Summary:
Fine-grained tokens work for npm and Docker, but you must ensure the token has both the correct package permissions and repository access, and that your .npmrc or Docker login references it correctly. Without that, installs and pulls will fail even if gh CLI works.

[thomaslagies]

@wanbs14

Thanks for your reply. It seems like you are mixing the classic token permissions with fine grained token permissions in your answer.
A fine grained token is setup like this:

There is no setting for read:packages or write:packages, hence my post.

If I set my fine grained token into my .npmrc I get this:

Did you manage to get it to work or is this an AI copy paste?

Thanks

[kesect]

He did not manage to get it work at all, It was just AI copy and paste slop.

[thomaslagies]

I've read the article again and it seems like the sunset is for the npm classic tokens, not the gh classic tokens?
Will gh classic tokens be affected down the road?

[Moser-ss]

I think now that the announcement was about NPMJS classic tokens. Not all endpoints of the GitHub API are covered by fine-grained tokens. If the classic tokens were sunset, then we would see a lot of automations to fail

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬