GitHub Package Registry: Manage Packages Alongside Your Source Code

Apr 29, 2021

5 minutes

Publishing software packages is already pretty easy, so what does GitHub's Package Registry offer that we don't already have? With GitHub Package Registry you can:

Develop and host packages in the same place
Use said packages as dependencies in your source code on GitHub
Easily configure private or public packages
Easily manage permissions as the package inherits the same permissions as the repository
Leverage GitHub's existing DevOps tools for better workflow integration

In this guide, we'll find out exactly what all of this means. We're going to go through the process of publishing (and using) an npm package, and as we go, we'll discuss some of the features and shortfalls of GitHub Package Registry.

Keep in mind, GitHub Package Registry is still currently in beta.

h/git • 16 guides

h/news • 143 guides

h/github • 8 guides

One of the key features of GitHub Package Registry is that it uses existing repositories to build packages. If you're already a GitHub user then you probably understand how valuable GitHub's tools are for workflow automation and management. It only makes sense to use the same tools to publish software packages built from these repositories.

I'm going to use a repository I created specifically for this demo: https://github.com/josephtyler/hello-howchoo-npm. It's nothing special. Once imported, it will simply provide access to a function that prints "Hello, Howchoo!!".

This process will be slightly different depending on the package management tool, but for npm, we simply need to update package.json and authenticate.

Update package.json

Update package.json with the following:

"publishConfig": { "registry": "https://npm.pkg.github.com/" }

Authenticate with npm

npm login --registry=https://npm.pkg.github.com/

If 2FA is enabled on your GitHub Account

If you've got 2FA enabled on your account, you'll need to use a personal access token instead of your password. Use our guide to learn how to create personal access tokens on GitHub.

After we configure everything properly, we can easily publish using tools we're already familiar with. Later in this guide, we'll cover options for more advanced deployment of packages.

Set the package name

Before we publish, we need to make sure the package name is correct in our package.json file. To do this you'll need two pieces of information, the OWNER and the NAME.

So update your package name (if necessary) to @OWNER/NAME. Here's an example from my demo repository:

{
  "name": "@josephtyler/hello-howchoo-npm",
  ...
}

Publish

Now we can easily publish our package:

npm publish

Again, we can use all of the familiar tools for installing and using npm packages.

For this step, I'm using another GitHub repo https://github.com/Howchoo/hello-howchoo-test. This is another small JS app where I'll install my package and use my helloHowchoo function extensively.

Configure the repo use GitHub Package Registry

In order to pull from GitHub Package Registry, we'll need to add an .npmrc file identifying the registry we want to pull from. The file contains nothing more than this:

registry=https://npm.pkg.github.com/josephtyler

See the following step for details on using packages from multiple registries.

Installing packages

To install the package, we can using the npm install command:

npm install @josephtyler/hello-howchoo-npm

Permissions

Anyone can install packages from public repositories. But if you're wanting to install a package from a private repo, you'll have to authenticate and have access granted. Access permissions in GitHub apply to both repositories and packages. So if you have access to the repo, you have access to the package.

It's likely you'll want to install packages from multiple registries. With the .npmrc file we added above, you can install from packages in the @josephtyler user and any package in the npm registry.

To add packages from multiple users or organizations you can use the following example in your .npmrc.

@josephtyler:registry=https://npm.pkg.github.com
@howchoo:registry=https://npm.pkg.github.com

At this point, we should confirm we can actually import and use our helloHowchoo function. In the test repository (linked to in the previous step), there's a file called test.js. It contains the following:

var hh = require('@josephtyler/hello-howchoo-npm');

hh.helloHowchoo();

And we can execute the test script via the command line using:

node test.js

Sure enough, it's a great success!

$ node test.js
Hello, Howchoo!!

Right now, GitHub Package Registry supports the following managers:

npm (JavaScript)
Docker (Docker containers)
Maven (Java)
RubyGems (Ruby)
NuGet (Microsoft)

Pros

GitHub Package Registry is a beautiful tool. Most of the functionality is not new or revolutionary, but there are two things about this tool that stand out.

It's the logical place to put packages

Even though package registries already exist, it's a HUGE benefit to be able to browse a code base and quickly see which packages are available for use. The code for most packages that I've used in the past is already on GitHub, so it just makes sense to be able to browse available packages while I'm browsing the source code.

GitHub permissions are good

GitHub permissions work well for managing source code, and in most cases those same permissions would apply properly to packages as well.

Cons

There is only one major issue I can see.

Where is Python support?

Where is support for one of, if not the, most popular programming languages in the world? In many polls and articles, Python is considered to be the fastest growing and most widely used programming language on Earth. Support for Python is essential.