Tokens
When dealing with various private packages hosted on GitHub, managing tokens effectively is crucial for local development environments. The following outlines the standard and recommended practices for ensuring access to these packages during local development and how to handle these tokens in runners.
Local Development
To provide developers (GitHub users) with access to private GitHub-hosted packages, two things are necessary:
- They need to be added to a “newfold-labs” team on GitHub.
- They must have a token set up with read access to packages.
If you’re not already a member of the appropriate team within the organization, please reach out to your team lead. To learn more about github organization team management, please refer to the Organization Teams docs
Follow these steps to set up a personal access token:
- Navigate to GitHub’s developer settings (currently located at the bottom of the settings side navigation).
- Access the “Personal access tokens (classic)” page. (The URL should be: https://github.com/settings/tokens)
- Generate a new (classic) token by clicking the button at the top of the page.
- Assign a name to your token and set an expiration date. Given that a user’s access is revoked when they are removed from an organization team on GitHub, setting a lengthy expiration period is appropriate.
- Choose the desired access scope: Mark the checkbox for
read:packages
and then click “Generate token.” - Copy the generated token, which should be in the format
ghp_xXxXxX
. - On your development machine, navigate to the root of your user directory and either create or locate a
.npmrc
file. (You might need to make hidden files visible.) - Add the token to the file in the following manner:
legacy-peer-deps=true @newfold-labs:registry=https://npm.pkg.github.com/ # My Personal Access Token //npm.pkg.github.com/:_authToken=ghp_xXxXxX
GitHub Runner Access
Keep in mind that GitHub workflows and actions require access to these files as well. However, we CANNOT add a token to any repository, as it would compromise the security of the private packages. Instead, the workflow will generate a similar .npmrc
file while building the plugins and retrieve a token from a repository secret. This token will be used to install private packages. When preparing files for distribution, the workflow will ignore the file containing the token.