Reputation: 2711
How to create and add a token to a .npmrc file on GitHub Actions unrelated with the Developers' token?
The project's local development environment makes it mandatory to have a .npmrc file with the following content:
registry=https://registry.npmjs.org/
@my-organization:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=your-GitHub-token-should-be-here-and-I-will-not-share-my-for-security-reasons
Hence, any client properly authenticated into the GitHub Packages Registry can install our private NPM packages hosted for free on GitHub Registry by running:
npm ci @my-organization/our-package
Ok, it works on my local development environment.
Now, I am building a Continuous Integration process with GitHub Actions which is a different but similar challenge. I have this on my .yaml file:
- name: Create .npmrc for token authentication
uses: healthplace/npmrc-registry-login-action@v1.0
with:
scope: '@my-organization'
registry: 'https://npm.pkg.github.com'
# Every user has a GitHub Personal Access Token (PAT) to
# access NPM private repos. The build of GitHub Actions is
# symmetrical to what every developer on the project has to
# face to build the application on their local development
# environment. Hence, GitHub Actions also needs a Token! But,
# it is NOT SAFE to insert the text of a real token on this
# yml file. Thus, the institutional workaround is to insert
# the `{{secret}}` below which is aligned/set in the project
# settings on GitHub!
auth-token: ${{secrets.my_repo_secret_key_which_is_not_being_shared}}
On GitHub settings->secrets->actions->"add secret":
On the secret value, I added my Personal Access Token. The same I have on my .npmrc file. It works for npm i.
Nobody can see the secret value on GitHub. Not even me, the person who added it and the admin. The value can only be updated or removed.
This feels "good enough" for security, but still, it does not feel like best practice. I believe it would be better to have a "new working" token detached from any personal token being used by a developer who is working on the project.
Is it possible to generate and insert a value of GitHub Personal Access Token which is unrelated to the Personal Access Token of people working on the project?
If yes, how to do it?
Upvotes: 1
Views: 6393
Answers (1)
Related Questions
- How do I use secrets in Github Actions?
- Using github packages without personal access token?
- GitHub access token with read-only access to private repositories
- How to pass Github Auth token in Node Fetch?
- Εlevate GITHUB_TOKEN's permissions in Github Actions
- How to use a token alternative to GITHUB_TOKEN for a Github action?
- how to set a github token for github pages deploy
- NPM: Getting 403 whoami with npm-automation-token
- How to attach token to git command?
- Getting access token from Github