The Fontawesome Pro instructions describe placing a secret key in a .npmrc file but it is unclear how this file should be managed. Specifically, should this file be ignored by Git?
Asked
Active
Viewed 5,041 times
1
orome
- 45,163
- 57
- 202
- 418
-
From the doc., this file contain auth token or package token. It might be sensitive data so please ignore and do not commit to Git server. – vee Apr 08 '22 at 04:02
-
@vee Looking closer I think that's wrong. I should commit it, substitute an environment variable for the value, and use `env` in the Action to set that variable to a corresponding secret in the repo. – orome Apr 10 '22 at 21:51
-
They said _Keep It Secret, Keep It Safe!_ _Your super-secret npm token - FONT-AWESOME-PACKAGE-TOKEN - is private. Don't share it with anyone who shouldn't have it._ It's depend on you but I confirm that do not commit it. – vee Apr 10 '22 at 22:10
-
@vee No that’s wrong. The token is safe as a repo secret and is only referenced by _name_ in the file. And it _must_ be there in order for the package to load during the action. – orome Apr 10 '22 at 22:13
2 Answers
4
The Fontawesome Pro instructions are correct as an example of the general approach to managing sensitive information in a .nmprc file :
- all sensitive values there should be replaced by environment variables, and
- those variables should then be defined as managed secrets in whatever environment the repo will be pushed to.
orome
- 45,163
- 57
- 202
- 418
2
My answer would say it's best to ignore it and not push to repo. as if you have multiple Engineers contributing changes to a generated package for push to the registry each developer will have to have their own .npmrc file and it' unlikely that you'd ever want that pushed to the repo as each attempt would overwrite/conflict.
I could imagine a scenario where you'd like to automate by using a single credential for all devs and thus one global .npmrc file but that is an obvious security faux pas in my view.
David Saintloth
- 4,061
- 2
- 16
- 16