npm
docs: docker-and-private-modules
@MylesBorins the previous PRs have pivoted too much and their goal was not stated clearly. This is my fault so this is a final PR that will attempt to clearly and shorty state its purpose and what problems it's trying to fix.
The reason behind this PR is to securely download private npm packages when building a docker image and address the pitfalls with the current set-up in the documentation which are also explained in this article.
Current set-up will save your npm token in the final docker image. This PR solves that problem by showing you how to use the --secret flag with the docker build command and not have your npm token saved in your final docker image.
@MylesBorins I think you were concerned about that Docker image not working on CI?
This works for me with GitHub Actions:
- name: Build and Push Docker image
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc
docker buildx build . -f Dockerfile -t ${{ secrets.DOCKER_USERNAME }}/${{ secrets.DOCKER_REPOSITORY }} --secret id=npmrc,src=.npmrc --push
You have to of course set-up other steps for it like docker buildx, logging to docker etc. but that is GitHub Actions specific. The point in question is that this
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm install
can work on CI.
@MylesBorins @monishcm I've tried to address the previous concerns but maybe I could improve this PR in any way?
@matzar this looks good now. I'm going to test the new instructions locally and then assuming it all works land this
