From ca2e28376a90a8aa96fec08d4d4aa253bdf0ce8b Mon Sep 17 00:00:00 2001 From: Jason Walton Date: Tue, 10 Sep 2019 13:32:30 -0400 Subject: [PATCH] Example showing how to use this to install private packages securely. (#56) --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index e8c00d7..dec3ecd 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,24 @@ steps: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` +Use private packages: +```yaml +steps: +- uses: actions/checkout@master +- uses: actions/setup-node@v1 + with: + node-version: '10.x' + registry-url: 'https://registry.npmjs.org' +# Skip post-install scripts here, as a malicious +# script could steal NODE_AUTH_TOKEN. +- run: npm install --ignore-scripts + env: + NODE_AUTH_TOKEN: ${{ secrets.YARN_TOKEN }} +# `npm rebuild` will run all those post-install scritps for us. +- run: npm rebuild && npm run prepare --if-present +``` + + # License The scripts and documentation in this project are released under the [MIT License](LICENSE)