Yarn add fails if package url should be fetched using "git config --global url"

[vzaidman]

in a project i work in, the line in package.json of a dependancy is:

"some_package": "bitbucket:some_company/some_package#develop"

in an automated environment the following command runs before npm install:

git config --global url."https://x-token-auth:${access_token}@bitbucket.org/some_company/".insteadOf https://bitbucket.org/some_company/

now when running yarn install --verbose i see that yarn first tries to get git refs from the repository but it has no permissions, and fails with 401:

verbose Request "https://bitbucket.org/some_company/some_package.git" finished with status code 302.
verbose Performing "GET" request to "https://bitbucket.org/some_company/some_package.git/info/refs?service=git-upload-pack".
verbose Request "https://bitbucket.org/some_company/some_package.git/info/refs?service=git-upload-pack" finished with status code 401.
verbose Error: Error connecting to repository. Please, check the url.

maybe in case of 401, the repository should be fetched using GIT.

[GProst]

I have a same issue

[adrienrn]

I've got the same thing with github and a private repository.

Arguments: 
  /home/vagrant/.nvm/versions/node/v7.3.0/bin/node /usr/share/yarn/bin/yarn.js install --verbose

PATH: 
  /home/vagrant/.nvm/versions/node/v7.3.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Yarn version: 
  0.18.1

Node version: 
  7.3.0

Platform: 
  linux x64

npm manifest: 
  {
    "name": "theme-redstable",
    "version": "1.0.0",
    "description": "...",
    "main": "Gulpfile.js",
    "scripts": {
      "install": "napa -v",
      "test": "echo \"Error: no test specified\" && exit 1"
    },
    "repository": {
      "type": "git",
      "url": "git+https://github.com/xxx/yyy.git"
    },
    "keywords": [
      "wiztopic",
      "theme",
      "theming",
      "redcurrents",
      "redstable"
    ],
    "author": "...",
    "license": "private",
    "bugs": {
      "url": "..."
    },
    "homepage": "...",
    "devDependencies": {
      "gulp": "~3.9.1",
      "gulp-clean-css": "~2.3.2",
      "gulp-concat": "~2.6.0",
      "gulp-load-plugins": "~1.2.4",
      "gulp-plumber": "~1.1.0",
      "gulp-rename": "~1.2.2",
      "gulp-sass": "~2.3.2",
      "gulp-sourcemaps": "~2.2.1",
      "gulp-stats": "0.0.3",
      "gulp-uglify": "~1.5.4",
      "gulp-util": "~3.0.7",
      "gulp-watch": "~4.3.8"
    },
    "dependencies": {
      "bootstrap": "3.3.2",
      "datatables.net": "1.10.10",
      "fancybox": "2.1.5",
      "html5shiv": "3.7.3",
      "jquery": "jquery/jquery#1.10.2",
      "jquery.cookie": "1.4.1",
      "jquery-match-height": "0.6.0",
      "jquery-shorten": "staeff/jquery.shorten#53026acdd6788d3e1db48fb7f4c13f0af8602c8a",
      "jquery-validation": "1.16.*",
      "linkify": "SoapBox/linkifyjs#v1.1.6",
      "napa": "^2.3.0",
      "redcurrents-bentokit": "redcurrents/bentokit#0.1.2",
      "respond.js": "1.4.2",
      "select2": "3.5.1"
    },
    "napa": {
      "datatables-responsive": "DataTables/Responsive#2.0.0",
      "jquery-cookiecuttr": "cdwharton/cookieCuttr#ca4d2e7c1e860de3422dee3ed16ccc6a76d6c782",
      "jquery-datatables-column-filter-slider": "Kozea/jquery-datatables-column-filter#1.0.1"
    }
  }

yarn manifest: 
  No manifest

Lockfile: 
  No lockfile

Trace: 
  Error: Error connecting to repository. Please, check the url.
      at /usr/share/yarn/lib/resolvers/exotics/hosted-git-resolver.js:135:15
      at Generator.next (<anonymous>)
      at step (/usr/share/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:17:30)
      at /usr/share/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:28:13
      at process._tickCallback (internal/process/next_tick.js:103:7)

[joshburgess]

I'm also running into this while trying to install from a forked npm package hosted in a private BitBucket repo.

[rmmeans]

Note to others hacking on this - we were only able to get this to work if putting it in your GLOBAL gitconfig. It was still failing for us when the exact same config was put in the local git config.

Here is what we had to do to pull from a private github repo with an access token:

[url "https://{TOKEN}@github.com/"]
        insteadOf = git@github.com:
[url "https://"]
        insteadOf = git://

[paradite]

I can confirm that gitlab doesn't not have this issue.
We are able to pull private dependencies using https and CI_JOB_TOKEN like this:

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.xyz.net".insteadOf 'ssh://git@gitlab.xyz.net'

package.json looks like this:

"our-package": "git+ssh://git@gitlab.xyz.net/our-group/our-package.git#v1.0.0"

Note that it fails if the dependency is declared using : instead / like this:

"our-package": "git+ssh://git@gitlab.xyz.net:our-group/our-package.git#v1.0.0"

This works as long as the person triggering the job has the permission to that package.

[afirth]

If you are having problems with this in github actions, and also using the actions/checkout action, you may be hitting actions/checkout#162 and need to unset or otherwise workaround the git extraheaders option it sets, as that basic auth header is checked before pretty much anything else. You can diagnose this by setting env GIT_TRACE_CURL=true

[CezaryDanielNowak]

I had similar issue inside a github action.

Instead of:

git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github.com/".insteadOf "git://git@github.com/"

I added this:

      - name: Configure package.json for github token
        uses: jacobtomlinson/gha-find-replace@v3
        with:
          find: "git+ssh://git@github.com:"
          replace: "https://${{ secrets.ACCESS_TOKEN }}@github.com/"
          regex: false
          include: "package.json"

Is it good? no.
Does it work? yes.
Also --frozen-lockfile option won't work

[TheLartians]

For anyone else running into this, what worked for us was simply replacing

      - uses: actions/checkout@v4

with

      - uses: actions/checkout@v4
        with:
          persist-credentials: false

Thanks @afirth for the pointer to the checkout action!