How can I use GitHub secrets in a .npmrc file?

I have a project on GitHub that has several dependencies all of which are published on GitHub Package Registry.

I use GitHub actions to publish my packages. I am able to use GitHub secrets in my workflow.yml file but not so in my .npmrc file.

As there is no way for a CI environment to know the value stored in a secret if I used it in my .npmrc file as _authToken={GPR_TOKEN}, I am curious if there is a workaround since my current implementation is to use my Personal Access Token(PAT) literally in my npmrc.

I have used ${GITHUB_TOKEN} successfully but it fails during my CI job because {GITHUB_TOKEN} is only scoped for the repository the workflow is running from and cannot be used to install dependencies.

I also tried using _authToken={MY_PAT_SECRET} in the .npmrc file but my CI job fails. The only thing that has worked so far is pasting my PAT in .npmrc but I don't want to do it.

Any ideas or workarounds about how to use GitHub secrets in a .npmrc file?

It's probably not the ideal solution, but you can achieve the result you want by using a sed command.

Supposing your .npmrc file looks like this:

authToken=MY_PAT_SECRET 

You could replace the MY_PAT_SECRET by the PAT secret value in the pipeline by doing a step like this (after having previously used the actions/checkout):

     - name: Replace values
       shell: bash
       env: 
          PAT: ${{ secrets.PAT }}
       run: |
         sed -i.back "s|MY_PAT_SECRET|${PAT}|g" ./path/to/.npmrc

Note 1: This will work on a ubuntu or macos runner.

Note 2: The sed command will update all instance with the specified syntax, so don't use something too generic.

I made a test in this workflow run by using this workflow file. And it worked as expected: