fly build secret?

.github/workflows/fly-deploy.yml

@@ -14,6 +14,6 @@ jobs:
       - uses: superfly/flyctl-actions/setup-flyctl@master
 
       - name: Deploy to Fly.io
-        run: flyctl deploy --local-only --build-secret NPM_TOKEN=${{ secrets.GH_NPM_TOKEN }}
+        run: flyctl deploy --remote-only --build-secret GH_NPM_TOKEN=${{ secrets.GH_NPM_TOKEN }}
         env:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}

Dockerfile

@@ -12,19 +12,18 @@ WORKDIR /app
 # Set production environment
 ENV NODE_ENV="production"
 
-# Argument for NPM token
-ARG NPM_TOKEN
-
 # Throw-away build stage to reduce size of final image
 FROM base as build
 
-# Set the NPM_TOKEN as an environment variable
-ENV NPM_TOKEN=${NPM_TOKEN}
-
 # Install packages needed to build node modules
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y build-essential pkg-config python-is-python3
 
+# Mount the GH_NPM_TOKEN secret and use it to create bunfig.toml
+RUN --mount=type=secret,id=GH_NPM_TOKEN \
+    echo '[install.scopes]' > bunfig.toml && \
+    echo 'neodyland = { token = "'$(cat /run/secrets/GH_NPM_TOKEN)'", url = "https://npm.pkg.github.com/" }' >> bunfig.toml
+
 # Install node modules
 COPY --link bun.lockb package.json ./
 RUN bun install
@@ -39,8 +38,8 @@ RUN bun run build
 RUN rm -rf node_modules && \
     bun install --ci
 
-# Remove .npmrc to avoid token leakage
-RUN rm -f .npmrc
+# Remove bunfig.toml to avoid token leakage
+RUN rm -f bunfig.toml
 
 # Final stage for app image
 FROM base