tokens

.github/workflows/fly-deploy.yml

@@ -1,5 +1,3 @@
-# See https://fly.io/docs/app-guides/continuous-deployment-with-github-actions/
-
 name: Fly Deploy
 on:
   push:
@@ -9,11 +7,13 @@ jobs:
   deploy:
     name: Deploy app
     runs-on: ubuntu-latest
-    concurrency: deploy-group    # optional: ensure only one action runs at a time
+    concurrency: deploy-group
     steps:
       - uses: actions/checkout@v4
+
       - uses: superfly/flyctl-actions/setup-flyctl@master
-      - run: flyctl deploy --local-only
+
+      - name: Deploy to Fly.io
+        run: flyctl deploy --local-only --build-arg NPM_TOKEN=${{ secrets.GH_NPM_TOKEN }}
         env:
-          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
-          GH_NPM_TOKEN: ${{ secrets.GH_NPM_TOKEN }}
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}

Dockerfile

@@ -12,10 +12,15 @@ WORKDIR /app
 # Set production environment
 ENV NODE_ENV="production"
 
+# Argument for NPM token
+ARG NPM_TOKEN
 
 # Throw-away build stage to reduce size of final image
 FROM base as build
 
+# Set the NPM_TOKEN as an environment variable
+ENV NPM_TOKEN=${NPM_TOKEN}
+
 # Install packages needed to build node modules
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y build-essential pkg-config python-is-python3
@@ -34,6 +39,8 @@ RUN bun run build
 RUN rm -rf node_modules && \
     bun install --ci
 
+# Remove .npmrc to avoid token leakage
+RUN rm -f .npmrc
 
 # Final stage for app image
 FROM base
@@ -43,4 +50,4 @@ COPY --from=build /app /app
 
 # Start the server by default, this can be overwritten at runtime
 EXPOSE 3000
-CMD [ "bun", "run", "start" ]
+CMD [ "bun", "run", "start" ]