Publish npm secret key in public repository

Hello everyone, i have question about github.
I published npm secret key in public repository and github deleted this key. But i don’t understand, someone could see this key and download my packages?

1 Like

Hi @gespispace,

I published npm secret key in public repository and github deleted this key. But i don’t understand, someone could see this key and download my packages?

If your PAT only has the read:packages scope, it should be safe to share unless you have access to any private packages you need to protect. To do this you will need to find a way to encode your token so that GitHub doesn’t detect and automatically delete it.

I’ve created a tool that will let you encode read:packages PATs for use in various package ecosystems. If you have Docker installed, you can use it like this:

docker run jcansdale/gpr encode <READ_PACKAGES_TOKEN>

It will output the following:

An encoded token can be included in a public repository without being automatically deleted by GitHub.
These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#60;&#82;&#69;&#65;&#68;&#95;&#80;&#65;&#67;&#75;&#65;&#71;&#69;&#83;&#95;&#84;&#79;&#75;&#69;&#78;&#62;" />
  </github>
</packageSourceCredentials>

A Maven `settings.xml` file:
<servers>
  <server>
    <id>github</id>
    <username>PublicToken</username>
    <password>&#60;&#82;&#69;&#65;&#68;&#95;&#80;&#65;&#67;&#75;&#65;&#71;&#69;&#83;&#95;&#84;&#79;&#75;&#69;&#78;&#62;</password>
  </server>
</servers>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u003c\u0052\u0045\u0041\u0044\u005f\u0050\u0041\u0043\u004b\u0041\u0047\u0045\u0053\u005f\u0054\u004f\u004b\u0045\u004e\u003e"

You now store your access token with your project files, so developers can simply clone and build your project without needing to generate their own PAT.

I hope that helps!

No, i don’t want publish my secret key in public repo.

@gespispace,

In that case, you can create a machine-user account, see:

You can then generate a PAT with the read:packages scope from this account, and use that in your .npmrc file instead.