Suddenly started receiving 403 Forbidden when fetching private packages in Github Actions

[valdemarrolfsen]

Hi,

Today we suddenly started receiving 403 Forbidden when installing private packages in an action:

error An unexpected error occurred: "https://npm.pkg.github.com/download/<our-org>/<package-name>/<version>/c465454e5b804aedd348669764fb1bc7ae6a68ec: Request failed \"403 Forbidden\"".

The issue only occurred for a new package published today and we noticed that Github recently (have not seen it before at least) has extended package settings in order to define permissions for packages. However, when updating the permissions to match previous packages we are still getting the 403 from actions.

Locally we are able to install the packages but for some reason the standard GITHUB_TOKEN or ${{ github.token }} does not have the right permissions. (The GitHub token has the default permissions read/write permissions on the organization level.)

[aron-hivebrite]

I got the same problem when I did:
yarn add my-package

➤ YN0027: my-package@unknown can't be resolved to a satisfying range
➤ YN0035: The remote server failed to provide the requested resource
➤ YN0035: Response Code: 403 (Forbidden)
➤ YN0035: Request Method: GET
➤ YN0035: Request URL: https://npm.pkg.github.com/my-package

Do you have any aidea?

[trondtactile]

We had the same issue, sort of. We have no issue downloading packages from new package repositories, however, we have problems querying for package versions.

What we found is that new package repositories do not have the Inherit access from source repository enabled by default.
HOWEVER... enabling this setting allowed us to query package versions using Github API, but NOT GraphQL... So something seems to be broken internally.

Also, Inherit access from source repository does not seem to be exposed for manipulation by their API, which sucks...

[ashwch]

In my case the issue was the billing limit, yarn add still shows just 403(even with --verbose) but using npm add we got:

npm ERR! 403 403 Forbidden - GET https://npm.pkg.github.com/download/***** - Permission permission_denied: Account has reached its billing limit. Contact support or your organization admin to increase the quota. https://docs.github.com/en/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-packages

[tom-sherman]

I just ran into this. For me the problem was that I had set some permissions incorrectly in my job. contents: read was assumed by default, in my workflow I had:

permissions:
  id-token: write

This permissions block doesn't extend the default settings, it instead overwrites it. So the above yaml implicitly has contents: none. The fix was quite simple, just apply the contents: read permission explicitly. Note that metadata: read is also part of the defaults, so you may need to set that also if you run into the same scenario.

The fixed yaml:

 permissions:
   id-token: write
+  contents: read

[eccentricOrange]

I'm running into this issue. I already have contents: read

[mariaeltsova]

I am running into the same issue. Locally the installation of the package works fine, no problems with any billing limits, but on jenkins the npm install gives this error. I think the problem might be that I am using 4yo token there, which worked all these years but somehow does not work today.

[mariaeltsova]

It was resolved after we payed a randomly occurred cost for storage on GitHub. The original error was

code E403
npm ERR! 403 403 Forbidden - GET https://npm.pkg.github.com/download/<package from our GH registry>-
Permission permission_denied: Account has reached its billing limit. Contact support or your organization admin to increase the quota. https://docs.github.com/en/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-packages
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

[tboerger]

Similar for me, but on npmjs:

Run npm install @openapitools/openapi-generator-cli -g
npm error code E403
npm error 403 403 Forbidden - GET https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-08-26T13_10_52_392Z-debug-0.log

[msalmanmasood]

For me it happened for a pkg only but not for others

$ yarn install v1.22.22
[1/4] Resolving packages...
verbose 0.354168973 Performing "GET" request to "https://npm.pkg.github.com/@sapcc%2flimes-ui".
verbose 1.15610459 Request "https://npm.pkg.github.com/@sapcc%2flimes-ui" finished with status code 403.
verbose 1.174891283 Error: https://npm.pkg.github.com/@sapcc%2flimes-ui: Permission permission_denied: read_package

[msalmanmasood]

ignore it; sapcc is private registry for internal use only!

[diego-escribano]

Have you folks found any solution?

We have started getting the same error out of the blue (different library), without us changing any of our Github Actions configuration.

Maven Central (where the dependency is fetching from) does not show any issues + we can build locally without any issues.

[FaFre]

its a temporary global problem of github, you can find many people on x posting about it

[Nadavshab]

Could you send a link to those posts ?

[FaFre]

https://xcancel.com/search?f=tweets&q=github+maven

[FaFre]

actions/runner#4180