How can I use GitHub secrets in a .npmrc file?

Question

I have a project on GitHub that has several dependencies all of which are published on GitHub Package Registry.

I use GitHub actions to publish my packages. I am able to use GitHub secrets in my workflow.yml file but not so in my .npmrc file.

As there is no way for a CI environment to know the value stored in a secret if I used it in my .npmrc file as _authToken={GPR_TOKEN}, I am curious if there is a workaround since my current implementation is to use my Personal Access Token(PAT) literally in my npmrc.

I have used ${GITHUB_TOKEN} successfully but it fails during my CI job because {GITHUB_TOKEN} is only scoped for the repository the workflow is running from and cannot be used to install dependencies.

I also tried using _authToken={MY_PAT_SECRET} in the .npmrc file but my CI job fails. The only thing that has worked so far is pasting my PAT in .npmrc but I don't want to do it.

Any ideas or workarounds about how to use GitHub secrets in a .npmrc file?

Answer 1

According to https://docs.npmjs.com/cli/v9/configuring-npm/npmrc:

Environment variables can be replaced using ${VARIABLE_NAME}.

So, if you configure your PAT as an environment variable, it should automatically be replaced. For example, for an env var ${PAT}, setting PAT with the env context like this should work:

     - name: Build
       env: 
         PAT: ${{ secrets.PAT }}
       run: ...

---

If for some reason the above isn't working for you, you can use the envsubst command line utility to substitute PAT and other env vars.

It works on all GHA-hosted runners under shell: bash.

Example:

     - name: Set up .npmrc
       env: 
         PAT: ${{ secrets.PAT }}
       run: |
         envsubst < .npmrc > .npmrc.envsubst
         mv .npmrc.envsubst .npmrc

It creates an intermediate file that needs to be renamed to the original.

The above will substitute all the available env vars.

If you want to substitute some specific ones only, you need to mention those. Here's an example that only substitutes PAT and AUTHOR:

envsubst '${PAT} ${AUTHOR}' < .npmrc > .npmrc.envsubst
mv .npmrc.envsubst .npmrc

Answer 2

I don't think you should use a PAT here. They are for use by humans, not your CI workflow. Instead, as you point out, use the GITHUB_TOKEN.

Here is how:

1. In the repo which holds the npm package: Click the name of your package from the front page, right-most column. (section named "Packages").
2. You are now on a page where you can see the versions published for said npm package. Again look in the right-most column. You'll find a link called "Package settings". Click it.
3. Go to the section named "Manage Actions access". Add the repository to which you want to grant access to consume the npm package (or grant access to publish).

Done. You can now use the GITHUB_TOKEN instead of the PAT.

And by the way: GitHub's documentation is highly confusing. It says for example that you must use a PAT. This is no longer correct.