You want to distribute a proprietary NPM package as a GitHub repository "in situ," without publishing it to npmjs.org or even to GitHub Packages. (For example, the package may be subject to constant change, which is not a good fit for the NPM distribution model.)
NPM allows URLs, or even GitHub URLs, as dependencies.
When one of these is specified, NPM will perform a shallow clone to install the dependency, and will record the commit ref in your package-lock.json
.
However: when the Git repository in question is not public, there is an incompatibility between the way developers, GitHub Actions, and NPM like to access private repositories.