CI/CD pipeline with private github package?

Hi!

At the moment I use codebuild for my CI/CD pipeline and want to change it to serverless framework if it is possible. But running into a problem with my private github package.

I want a secure way to put my token to my github package.
At the moment in codebuild:
I have the github token as a environment variable and in my buildspec file i run
echo "//npm.pkg.github.com/:_authToken=$NPM_TOKEN" > ~/.npmrc
before the
yarn install

i have tried to run that script in preinstall in package.json while also having the NPM_TOKEN in deployment profile parameters:

   "scripts": {
    "preinstall": "echo '//npm.pkg.github.com/:_authToken=$NPM_TOKEN' > ~/.npmrc"
  },

But i get:

build step: yarn install

yarn install v1.22.4

$ echo '//npm.pkg.github.com/:_authToken=$NPM_TOKEN' > ~/.npmrc

[1/4] Resolving packages...

[2/4] Fetching packages...

error An unexpected error occurred Request failed \"401 Unauthorized\""

I want the token in “deployment profile parameters”, but can’t “inject” it somewhere to make it work with yarn install. Anyone know any solution or have any workaround?

This is probably too late but just wanted to leave a comment for anyone else who finds this.

To avoid the preinstall step, just create a .npmrc file at the project root. Then add a variable for the token:
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

Make sure to add a secured parameter GITHUB_TOKEN in the project stage profile.

Actually with even there is .npmrc with registry=https://registry.npmjs.org/:_authToken=${NPM_TOKEN} and NPM_TOKEN set in parameters I’m getting:

build step: npm ci --if-present --unsafe-perm
Error: Failed to replace env in config: ${NPM_TOKEN}